Google is stepping up defenses against phishing through a new predictive feature coming to Chrome and its Advanced Protection Program for high-risk Gmail users.
Google has updated its Safe Browsing technology to warn users when they visit a new phishing page that hasn't existed long enough to be detected by Safe Browsing as a known phishing site.
The new predictive phishing protection for Chrome is designed to prevent users from typing their credentials in a phishing site that was "created and used for attacks moments later". According to Google, Safe Browsing's historical data allow it to make predictions about risks in real-time.
Predictive phishing protection will initially only protect the Google account password, however it will eventually be used to protect all passwords saved in Chrome's password manager. It will also be available to other apps and browsers that user Safe Browsing, including Safari, Firefox and Snapchat.
Once a Gmail account is enrolled in the program, signing in requires using a physical Security Key which means the user needs to first buy a USB Secure Key for access on a PC and a Bluetooth-enabled Security Key for accessing Gmail on a mobile device. The keys cost around $20 each.
The keys use public-key cryptography and digital signatures to proves that the user is the account owner, and proves to the user the site is not a fake Google sign in page. An attacker would need the Secure Key and password to access a target's account.
The higher security comes at the expense of convenience. Accounts in the program are prevented from allowing non-Google apps to access account data through the OAuth account linking protocol. Google clamped down on OAuth verification after the fake Docs phishing attack in May abused Google's OAuth access.
iPhone users also won't be able to access Gmail through Apple Mail, Contacts and Calendar since they don't support Security Keys. They can however used Google's iOS apps, such as Gmail.
Additionally, any attempt to use the standard account recovery tools available will now take a few days to restore due to the additional verification checks Google has implemented for the program.