Gmail's new "Advanced Protection Program"

For discussions about security.
Post Reply
Message
Author
belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Gmail's new "Advanced Protection Program"

#1 Post by belham2 »

This thread is NOT about the evilness of Google and the monitoring by them (and every gov't) of what we do and don't do on the web. I don't have time for that paranoid stuff, valid or not, in my life :lol: There's too many other problems on the web. Ones that we can address & take action about---like complete email lockdown security

Thus, this thread is about Gmail, Yubikeys and the new "Advanced Protection Program". Google has rolled out the APP program the past few months, finally listening to us Gmail users who've been using Yubikeys (U2F protocol) with their Gmail accts for a few years now.

For those of you that do not know, there is nothing currently on the internet (in terms of overall email security) that approaches the use of Google Chrome + Yubikeys + the normal use of https and ssl. But now that Google has added this new "APP", it has completely leap-frogged all other existing email setups & systems being offered to online consumers worldwide.

Obviously, this Gmail + U2F + APP is imperative if you're in a country that is oppressive and trying to crack into everything you do on the Internet. But there's even a bigger market, an incredibly bigger market, for all of this. To wit: if you, like many on the Internet, have your fin'l institutions, insurance, health online providers, retirement, etc contacting your email when, for example, a "successful login" or "any transaction" or any parameter you have set up to keep tabs on your stuff (like "any" change in your account), the achilles heel of this setup has always been the email address that those notifications are sent to. How can you remained assured your email accounts are secure? In today's day & age, it is near impossible. But, what Google's doing, they've approached making it impossible & possibly achieved it.

Google responded a few years ago to this "are-my-email-accounts-really-secure?" problem by setting up U2F (i.e. Yubikeys), which has been really good for email security (using U2F for two-factor authentification). The problem has been Google continued you to require having a SMS option, which we all know how insecure it is in terms of 2FA. If you think having SMS is secure as a 2FA option, you need to educate yourself.

Anyhow, many of us lobbied the Gmail team for for the past 18 months, and now they've finally listened. The SMS/email/etc options are gone if you set up APP. The APP program lets you set up two physical keys (i.e. the Yubikeys or others) and then you agree to setting them up as the "ONLY" option for use as 2FA for logging into your email/Google accounts. There's no other way, no SMS, no sending of other emails to verify, nothing. So any hacker could try to gain control of your email, but they are basically "f#cked" because even though they might have your login & passwd credentials for your Gmail, they do not have either of these 2 physical keys (and, no, they cannot be reproduced and/or hacked, unless the hackers have developed quantum computers and have ran them for over 1000 years to approximate what these keys produce). Thus they can never get into your account unless they come to your home, put a gun to your head, force you to log in, and then insert the keys to finally login to your Gmail accts.

I've been testing the new "APP" with my existing Gmail + Yubikeys that I've used for 2 years with my Gmail, and it is impressive. I can't login to my Gmail/Google accts from anywhere with only my login + passwd, nor can I use SMS and/or the Google Authentificater and/or backup codes (like I previously was able to do with my Gmail accounts). Simply, I can't do crap and/or force a login to my email (and Google accounts) without one of the two physical Yubikeys that I set up for my APP-enabled Gmail accts (note that the physical U2F keys + APP setup can be used/setup across an unlimited number of your Gmail/Google accounts).

With the normal ssl & https, Chrome, login+passwd Gmail + required U2F physical keys......the sudden sense of security that comes over you as you realize just how secure your email has become, well, let me say it is very, very welcome in this day and age. Even if you're dumb enough to handle sensitive info on your phone, Iphone and/or android, with a NFC U2F key on your keychain......your overall level of email security just jumped dramatically. Even if someone pawns & controls your overall phone, they can't get into your Gmail/Google accounts without the U2F key. Think about that :idea:

Of course, if you lose your 2 physical U2F keys (with Google you can setup more than 2 if you want), it is going to be a big problem trying to get your email accounts back. You'll have to contact Google directly, verbally, where they'll make you wait a number of days while they investigate it, ask you a ton of questions about your account, while also seeing if there's any activity in the account, where it came from, what machines logged in, etc, etc--if there is actually any---before they'll even consider letting you back in. But it'll still take several days, that is now standard practice. But that is the whole point.

One of the great things about this Google "APP" offering, is that you (and only you, with your physical keys) can toggle the APP on and off. So, for example, if you're at home and don't want to bother with plugging your USB key into a USB port & tapping on it to log-in (which honestly I cannot understand why you wouldn't, as it is brain-dead easy & fast), but anyhow, if you desire, you can toggle APP "OFF" while your home. Equally, you can toggle it back "ON" if you're going on holiday/travels and/or heading to another location/location/country for work, etc.


Do yourself a favor, stop relying on email setups that are insecure, sloppy, and will never really actually let you know if they've been compromised or not. How do you know if your current email accounts, their login & passwds, are not already compromised? Answer: you don't. With 2FA that is based on physical, un-crackable keys, suddenly you do know (and you can rest easy that only Google & the gov't can see, lol :lol:....actually, this is a joke, because now Google and/or any gov't can't get into your Google/Gmail accounts without having possession of one of your physical U2F keys ).

And it all is too easy & too inexpensive to not set this stuff up. My Yubikeys cost $18 a piece, from Amazon, and there are other manufacturers of these Universal 2nd Factor (U2F) protocol physical hardware keys/tokens.....along with ones that are used for your phones as they're NFC compatible. And these physical U2F keys (especially Yubikeys) are indestructible. What I've put mine through in the past 2 years, and they still survived & function flawlessly? That is a "wow" in my book.

So get off the pot, people. If you're using an email setup from your ISP/cable/wireless provider, desktop and/or online, even ones that use U2F but idiotically still allow the use of SMS for the 2nd factor authentification, then don't b!tch if you get owned & your email accounts were (and/or currently are) hacked.

The means exist now to completely shut this worry down. Like I said, this (completely securing your email) is something we "should" worry about instead of worriyng about who is spying on us and every little thing we do.

That is a battle for another day & time.


P.S. It is almost "criminal" that the majority of U.S./Canadian banks don't implement this type (only physical U2F keys, and no SMS, no email, no phone calls, nothing) two-factor authentification. At least in Europe, their institutions for the most part are way ahead of the USA---which is scary because Europe still has a long way to go. The point is, SMS and phone software-authentification programs like Google Authenticator, Duo, Clef Authy & others have to be killed off---they'll never, ever be secure.

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#2 Post by disciple »

Are you sure you can't give us a one paragraph summary?
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

Re: Gmail's new "Advanced Protection Program"

#3 Post by Sailor Enceladus »

disciple wrote:Are you sure you can't give us a one paragraph summary?
Is this short enough? :)
belham2 wrote:actually, this is a joke, because now Google and/or any gov't can't get into your Google/Gmail accounts without having possession of one of your physical U2F keys ).
edit: Hmm, I thought you said "can".... but you said "can't".... really... hmmmm

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#4 Post by 8Geee »

Jeez Belham... if the banks and fiduciaries did that, it would solve the problem. There's no money in THAT. I mean, we might earn interest on the money entrusted... perish the thought!

With tongue firmly implanted in cheek
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

Post Reply