the idea’s easy to have your password stolen. Important people like executives, government workers, journalists, as well as activists face sophisticated phishing attacks to compromise their online accounts, often targeting Google account credentials. To reduce This kind of risk, Google created the Advanced Protection Program, which uses U2F security keys to control account access as well as make stolen passwords worthless.
The purpose of your password is actually to authenticate any device requesting access to your online account data, from the hopes of keeping out unauthorized users. This kind of only works if you have a strong password as well as never share, reuse, or accidentally enter of which password into the wrong place. Stealing the password for an online account is actually the most obvious way of breaking in, as well as those from the business of breaking into accounts have turned This kind of single point of failure into a science.
Phishing & Whaling Mean Passwords Aren’t Enough
Passwords are stolen for many reasons, as well as those behind phishing attacks have motives of which vary significantly in scope.
Criminals will often attack an organization or person for personal financial gain, using the compromised account to steal financial or blackmail data via a business. While This kind of kind of attack is actually the most obvious, executives as well as various other important people also must worry about an evolution of This kind of attack called “whaling,” where their accounts are targeted due to the user’s influence in a company.
Hijacking social credit as well as trust is actually a major concern in whaling attacks, as well as the success of This kind of tactic has peaked the interest of state-sponsored attackers. Stealing the password of an account owned by an important person in a company has many advantages for criminals.
The attacker compromising the account of an executive can request improvements internally to make the organization as a whole easier to attack, request payments be made, or target another business the executive works with by sending fake invoices or various other documents full of malware.
APTs Are Changing Phishing to a Weapon of War
In 2016, the power of Russian cyberwarfare was unleashed against members of the Democratic National Party. Russian intelligence-linked advanced persistent threat (APT) groups began aggressively spearphishing the accounts of important members of the Clinton election committee. APTs are called persistent because they contain the state-backed resources to probe high-priority targets endlessly for vulnerabilities, producing their eventual success nearly guaranteed. the idea only took 1 mistake for the DNC to be infiltrated by This kind of group.
APT hacking groups overwhelm targeted organizations by bringing more technical as well as resource firepower. The goal of the DNC attack was not financial gain, nevertheless an intelligence operation to gain political leverage via the data stolen via these accounts. This kind of information was scoured for anything embarrassing or damaging to the organization, doctored, as well as then released for maximum political effect. Attacks like This kind of are a calculated attempt to destroy the organization they target as well as can be turned against the press as well as human rights activists by anyone with the resources as well as motivations to mount such an attack.
Motivated as well as resourced APT groups contain the ability to phish two-factor authentication codes delivered by push or SMS notifications, leading to the dilemma of how to securely as well as conveniently access important accounts. While government contractors have needed to worry about This kind of threat for quite some time, the general population are right now needing to learn more about the tactics the government as well as private sector has adopted to defend against This kind of threat.
Advanced Protection via Phishing for Google Accounts
With many organizations using Google products like Drive as well as Gmail for work, Google credentials are a high-priority target for hackers. To combat This kind of, Google designed a program for those at risk of phishing attacks or interested in preventing them altogether. At the Enigma 2018 conference, Google presented Advanced Protection, their solution to state-sponsored or well-resourced APT attacks targeting Google credentials. Advanced Protection has actually been around since Oct. 2017, nevertheless many still aren’t away This kind of program exists.
Advanced Protection removes the weak link from the kind of two-factor authentication most people are familiar with. SMS messages as well as push notifications are not a barrier for a skilled attacker attempting to compromise an account, so Google turned to the Universal 2nd Factor authentication standard adopted by physical security keys to creating a system of which is actually more secure.
Multi-factor authentication uses a combination of challenges to make sure a device is actually allowed to access the account. A password represents one of three commonly used factors of authentication, a secret you know. The various other factors can include something you are, like a fingerprint or facial scan to unlock a phone, or something you have, like a physical key. A USB security key is actually used to add an extra layer of security to your device, meaning an attacker will need to physically steal your key in order to get in.
This kind of is actually critical because tricking you into entering This kind of physical key won’t even allow an attacker access since the idea improvements each time as well as is actually generated in response to a challenge. Simply having your password doesn’t get them anywhere, provided the idea’s not a password you reuse with any various other accounts. While This kind of sounds great, there are some tradeoffs for the security Google’s Advanced Protection gives users unwilling to trust their account data’s security to 1 password.
The Inconvenience of Security — U2F for Beginners
The most serious tradeoff is actually the inability to give account access permission to third-party apps, including Apple. You’ll need to use Google app, as well as the Chrome browser, to access your data or any signed-in services. Make sure you can live with of which before turning This kind of feature on. various other types of 2FA can’t be used, so you’ll need to make sure you have a U2F token any time you need to add a fresh device (or connect via a VPN).
When using U2F physical security tokens, which cost somewhere between $15 as well as $30, the idea’s not bad to think of them as keys. If you only have one as well as you lose the idea, you’ll need to go through the hassle of proving your identity to get back in, as well as the idea won’t be like just requesting a password reset. You must have at least two in order to enable Advanced Protection, as well as This kind of is actually to protect you via you.
For Android devices as well as any various other device which has a USB port, you can use a Fetian or Yubikey USB security key. These keys are sturdy, as well as the Yubikey supports various other helpful features like secure one-time password generation just by tapping on the gold disk. Additionally, you can quickly use them with Android over NFC, allowing you to authenticate any desktop, laptop, or Android device with NFC.
iPhone users will need to rely on a Bluetooth-type U2F token, which looks something like a mix between a garage door clicker as well as a Tamagotchi. After downloading the Google Smart Lock app, iOS users can authenticate their device with the Bluetooth token to access their Google Advanced Protected account data.
Setting Up Advanced Protection
the idea’s important to note of which Google Advanced protection is actually rolling out for Gmail accounts, nevertheless if you try to enroll an organization account (one which has a custom domain rather than an @gmail.com domain), you’ll see the following message.
If you’re a Google domain administrator, or you want to talk to yours about adding U2F security keys to protect your organization, you can learn more about enforcing similar protections on Google’s information page.
If you have an individual account as well as you want to protect the idea against phishing with Advanced Protection, then make sure you can live with the tradeoffs, as well as let’s get began!
Step 1: Purchase 2 Universal Two-Factor Security Keys
You probably have more than one key to your house, so make sure you have more than one key to access your important data. I recommend the Yubikey NEO via personal experience as well as via reading reviews about the idea surviving incidents of which destroyed regular keys. the idea features a USB as well as NFC interface. Google recommends the Yubico FIDO security key.
If you only use Android, you can purchase a pair of these, or the cheaper $16 Fetian security key. These aren’t as compatible with various other services as the Yubikey, nevertheless purchasing one as a cheap backup is actually a not bad idea.
If you have an iOS device you’ll need to authenticate, or you want to be able to do so via Bluetooth, you’ll need a Bluetooth security token like the Feitian MultiPass FIDO security key (which Google also recommends). In addition to syncing these via Bluetooth, they can be plugged directly into any device which has a USB port via a little micro-USB port on the bottom to charge or authenticate a device with the click of a button.
After selecting “I Have 2 Security Keys” via the Advanced Protection setup page, you’ll need to sign in again to verify your identity (or if you’re not currently logged into Google), then you’ll be greeted with the registration screen.
To register one of your keys, click the “Add Security Key” button. Click through the first prompt about producing sure you have your key nevertheless of which the idea’s not connected to your computer yet, then when you see the next prompt, connect your security key by plugging the idea into the USB drive of your computer.
Tap the gold disk on your USB key or, if you’re connecting a Bluetooth U2F device via USB cable, tap the button on the dongle to register the key. You should see the result from the picture below, inviting you to name your key so you can remember the idea. Do so as well as click on “Done.”
The setup menu should right now show your registered key. Repeat This kind of process by clicking the second “Add Security Key” link to complete the key registration process with your second key.
Once both of the checkboxes are green, you’re ready to confirm as well as activate Advanced Protection from the final step, so hit “Continue” as well as keep going.
Clicking on “Continue” leads us to the final warning screen before enabling Advanced Protection. Thoroughly read the warning before accepting, because you’ll have to live with these improvements.
Once ready, click “Turn On” to proceed. A popup explaining of which you will be signed out of all devices will appear. This kind of means of which you’ll need to re-authenticate for every device of which you aren’t currently on.
After selecting “Turn On” on This kind of last popup, you should see a confirmation screen like the one below.
Some Limitations on Locking Things Down
Even though Google Advanced protection is actually designed to give you the most power to protect your account, the idea still had some quirks. One issue I found was of which I was unable to revoke a Samsung Galaxy S6 device I was no longer using via being listed as having access to my account. Normally, when you select an option via your recently used device list, there will be an option to “Remove” said device. In This kind of case, however, there was simply no option to do so.
This kind of raised the issue of being unable to revoke access to a suspicious device if someone were able to briefly use your key to add their own. I reached out to the project manager for Google Advanced protection to ask about revoking access to devices, as well as he mentioned of which any device of which has accessed your account will stay on This kind of list for 28 days, to prevent an account hijacker via covering their tracks.
To revoke access via any device of which doesn’t allow you to do so remotely, you can change the password to your Advanced Protected account. The device appearing on your account via of which point on is actually somewhat misleading, nevertheless the act of changing your password should lock out all devices as well as force them to re-authenticate which has a U2F token.
If you’re using a password without a second factor of authentication to secure your accounts, you need to be aware of which you are one targeted phishing email away via giving a stranger access to all of your online data. This kind of may not have been the case back when you made your account, nevertheless the idea certainly is actually right now, as well as the idea’s time to get out ahead of of which reality rather than letting the idea run you over. Companies big as well as little are regularly breached by phishing tactics, as well as not bad security hygiene is actually an essential part of bridging the tech divide to avoid being an easy target.
Everyone, via the important CEOs to the average privacy concerned citizen should be aware of how two-factor authentication works as well as opt to implement the idea anywhere you are serious about account security.
The average user still doesn’t know why U2F is actually important or how to use the idea, even though many websites right now support using U2F security keys. Those in positions of power can’t afford to miss This kind of shift in trend — U2F is actually the fresh standard for personal account security, as well as Advanced Protection is actually a not bad way to get began being more secure.
I desire you enjoyed This kind of guide to securing your Google account via phishing attacks using Advanced Protection as well as U2F security keys! If you have any questions about This kind of tutorial or U2F usage, feel free to leave a comment or reach me on Twitter @KodyKinzie. We’ll be doing some more guides on This kind of program specifically for macOS as well as Windows, Arch Linux, Debian, as well as iOS as well as Android, so stay tuned.
Don’t Miss: How to Create Stronger Passwords
Don’t Miss: How to Protect Yourself via Being Hacked