Google's new Gmail security: If you're a high-value target, you'll use physical keys

Google will launch a new service to protect politicians and senior executives from sophisticated phishing attacks.
Written by Liam Tung, Contributing Writer

Google will soon be offering an Advanced Protection Program to lock down the Gmail accounts of high-value targets.

According to Bloomberg, the new Gmail service will block third-party apps from accessing user data and introduces a replacement for two-factor authentication based on Google's USB Security Key.

Google will begin offering the Advanced Protection Program next month, which will be marketed to "corporate executives, politicians and others with heightened security concerns".

The service appears to be aimed at raising defenses against sophisticated phishing attacks of the type that led to the Gmail hack of Hillary Clinton's 2016 campaign chairman, John Podesta, and the breach of the Democratic National Convention's (DNC) databases.

Bloomberg notes that the service builds on USB Security Key, for which Google introduced software in 2014. Security Key is a physical USB key used in place of a code required for two-step verification.

It's more secure because an attacker needs physical possession of the key to access an account they have credentials for. The USB key also cryptographically verifies the user is on a legitimate Google site and not a phishing site.

G Suite admins can force their users to require the USB key for login. The Advanced Protection Program will require two keys to use the service, according to Bloomberg.

Gmail accounts in the Advanced Protection Program will also prevent third-party apps from accessing data, Bloomberg notes. This measure appears to be aimed at preventing third-party apps from using OAuth to access Google apps.

Security firm Trend Micro reported last year that the group responsible for credential phishing attacks against the DNC and others were abusing OAuth to target email accounts.

The attackers created apps with names like Google Defender, then signed up for OAuth with Google, before sending phishing emails designed to trick victims into authorizing the rogue app to access an email account.

Google tightened OAuth registration processes earlier this year after a fake Docs app phishing attack impacted a large number of Gmail users.

Previous and related coverage

Google's latest Gmail change? Getting directions to an address with a single tap

No more fiddling around on smartphones to use addresses, phone numbers, and contact information.

Five secret tricks only serious Gmail ninjas need to know

With great power comes great responsibility. If you click into this article, be sure to pay attention to the warnings.

Read more about Gmail

Editorial standards