The only thing certain in life is death and taxes. And a Google account. Ok, maybe that's an exaggeration, but you get the point.
For most individuals, Google accounts are ubiquitous and important enough to warrant close scrutiny. Privacy hogs the media limelight, but not nearly enough attention is given to security. Since it is likely that your Gmail address is the hub for several social media and financial platforms, it behooves you to apply the highest level of account security currently available from Google. Enter the Advanced Protection Program (APP).
Google APP was originally introduced to safeguard politicians, journalists and activists, who are generally at a high risk of targeted online attacks. The service itself does not cost anything, but it imposes restrictions on your account for your own security. Here are the key highlights of the program:
- It requires you to configure multi-factor authentication with a security key, which can be either a hardware device or the secure enclave on your phone (more on this in a bit).
- It performs more stringent malware checks for files downloaded on Chrome.
- It only allows app installations from authorized app stores on Android.
- It only allows Google and other verified 3rd-party apps to access your Google account data with your consent.
- It also blocks hackers from impersonating you and takes extra steps to verify your identity if it finds anomalous activity.
If we talk about multi-factor authentication (MFA), any MFA option is better than no MFA at all. But the different MFA options lie on a spectrum of assurance, swinging between convenience and security. At one end of the spectrum are SMS/Voice OTPs, which are easily phished (read about SIM-swap attacks). At the other end are FIDO-compliant hardware security keys like Google Titan and Yubikey, which are the most phishing-resistant options available today. Depending on your laptop/phone hardware, you may require a different Yubikey version - Yubikey 5 NFC for USB-A/NFC, Yubikey 5C NFC for USB-C/NFC or Yubikey 5Ci for dual USB-C/Lightning support. Whichever option you choose, I highly recommend that you set up at least two keys for your account as a backup.
If you own an Android (7.0+) device, you can use the phone's built-in security key instead of a dedicated hardware device. This option does introduce physical access as a potential attack vector if your device is lost, but offers more convenience and portability. If you own an iPhone (iOS 10.0+) instead, you'll need to install the Google Smart Lock app (before APP enrollment), which uses the built-in secure element as the security key and requires physical proximity (via Bluetooth) for access.
When you are ready, visit Google Advanced Protection and follow the instructions to enroll your account.
Of course, after reading this, you may decide that APP is not right for you and that's ok. It certainly requires more effort but also goes a long way in securing your Google account (and consequently other linked accounts). In the least, I'd urge you to take the Google Security Checkup and review your account security settings.