Google: High-risk G Suite users now get same advanced security we use in-house

You might never need to change your password again if you're part of the G Suite Advanced Protection Program.
Written by Liam Tung, Contributing Writer

Companies across the world using G Suite can now add execs and other high-risk users to Google's Advanced Protection Program, giving them the same level of security that Google has implemented across its 100,000 employees. 

A central piece of the Advanced Protection program is it requires users to use a FIDO-compliant security key, such as Google's own Titan key or one from Yubico. 

While the keys have helped Google block all phishing attacks against employees, they have also created another major benefit: Google employees haven't needed to change their passwords in years.   

"We as Google employees – once we have had security keys turned on for us – have had zero incidents of account takeover," Karthik Lakshminarayanan, Google director of product management, told ZDNet. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Lakshminarayanan says in the three years since he joined Google from Microsoft, he hasn't changed his password once thanks to using security keys. At Microsoft, he had to change his password every 90 days – a policy that Microsoft recently said was "ancient and obsolete" and should be avoided.  

"I've never changed my password in my three years at Google. I've only been using security keys and I totally love it," he said. "I set [my password] on my first day at orientation and I've not changed it since. It's because we use security keys."

It's likely many organizations would find it difficult to require all employees to use security keys, but the new program for G Suite customers is primarily aimed at high-risk and high-value accounts. 

"We're asking organizations to identify those high-risk users and enroll them in the program for the enterprise and protect themselves like Google has been successful [in doing] to date," Lakshminarayanan said.

"Enterprises came to us and said, 'We also have highly sensitive accounts, like senior executives and HR managers who might potentially click on something, get exposed, and put the broader company at risk," he added. 

Google launched its Advanced Protection Program for consumer users of Gmail at a higher risk of targeted phishing and account takeover attacks in 2017.  

The program was initially offered to people like politicians, journalists, activists, as well as senior executives. Participants could only access their accounts if they had a physical security key, such as Google's Titan key or a YubiKey dongle. 

It also restricted which third-party apps could access Gmail data via the OAuth standard. Apple Mail and Mozilla Thunderbird, for example, are the only email clients that can access Gmail data once a user joins the program. Google also raised the bar for verifying a user's identity in an account-recovery situation. 

A little confusingly, as mentioned, the existing Advanced Protection Program has already been available to senior business execs. The difference with the G Suite version is that G Suite admins now have much more control. 

Rather than, say, an individual exec signing up for the program and have Google decide which apps can and cannot have access to Gmail data, a company's G Suite admin can nominate a group of high-risk users who should be in the program and what apps should be approved. 

It also offers the G Suite admin reporting capabilities to see which users are turning the controls on or off.

"Think missing controls and missing visibility for the admin," said Lakshminarayanan. "That is what has now been brought in. The admin can take a more aggressive stance towards selecting which users get it and get reporting around. It's a tighter loop now with the admin. Before it was an FIY [fix it yourself], an exec can use it." 

The enterprise Advanced Protection Program will allow G Suite admins to customize the experience for users, especially around which apps can use OAuth to access data from a G Suite account. Someone abused OAuth two years ago using a fake Docs app that gained access to millions of Gmail users' accounts.  

Users enrolled in the program will need to use a FIDO-compliant physical security key. To improve usability, enrolled users can pair an Android phone with the security key, but they will still need a security key from the outset.   

Like the consumer version, the G Suite program imposes restrictions on apps that can use OAuth to access Gmail data, but IT admins will have the ability to whitelist which apps can get access to Gmail data through OAuth. 

"The G Suite admin picks the apps to be trusted and not trusted. The end user can live with that list because it came from the admin. But if the user wants to expand that, they can have a chat with the admin and get that added," said Lakshminarayanan. 

Lastly, the enterprise program will do additional scanning for phishing email and open attachments in a sandbox to check for the presence of malware. 

Google also today announced the availability of its Titan keys in Canada, France, Japan, and the UK.

More on Google's G Suite and security

Editorial standards