This is the first in a series of blog posts about my experience with Google’s Advanced Protection Program, recently launched to strengthen the security of your Google account. In this post we’ll focus on how it works with iOS devices.
Advanced Protection is primarily intended, as Google suggests, for “journalists, activists, business leaders, and political campaign teams.” I think it’s a great tool for everyone, especially if you’re concerned about the security of your Google account, such as if it’s the recovery email of your bank account, or if you use a regular gmail account for your projects or small business.
In short, if you have an iPhone or iPad and you want to enable Advanced Protection:
Before you get started, though, you may also want to know that after enabling Advanced Protection:
Go to Google’s Advanced Protection Program page, click “Get Started,” and follow the steps to register your two security keys, and enable Advanced Protection. Once it’s on, Google will ask you to enter your password and then physically tap a security key every time you log in from a new device or browser. This means you’ll always want to have a security key with you, for example on your key ring. Note that you just need one key to log in. The other one is a backup that you can keep safely at home in case you lose or break the first one.
You need Advanced Protection to protect you against targeted online attacks, and in particular phishing. You’ll be protected from phishing sites that attempt to steal your login credentials, and from malicious sites that try to get access to your Gmail or Google Drive data.
On the left, a phishing website pretending to look like Google to steal my login credentials. On the right, a malicious website requesting access to my Google Drive data. Advanced Protection blocks both attacks.
Advanced Protection is a form of 2FA, in fact the strongest one. Other mechanisms like SMS or time-based codes don’t protect you against sophisticated phishing.
That’s why you have two.
That’s why you ALSO have a strong password. You can revoke your lost security key anytime, and replace it with a new one.
For iOS, the only security keys I was able to find and test are the Feitian MultiPass, the same recommended by Google, and the DIGIPASS SecureClick, recommended in this survey.
Yubikeys don’t work with Advanced Protection on iPhone and iPad(I discovered it only after I bought them already — I should have read more carefully.)
In the list below I’m summarizing the main options, with pros and cons of each one.
Feitian MultiPass, $25Pros: It works on desktop, Android and iOS devices.Cons: It doesn't have a usb-c connector (e.g., for the new Macbook Pro.)
DIGIPASS SecureClick (my choice, mostly aesthetic), $39Pros: It works on desktop, Android and iOS devices.Cons: It doesn’t have a usb-c connector (e.g., for the new Macbook Pro.)
Yubikey NEO, $50Pros: It's nicer looking and fits better in a key ring than the Feitian.Cons: It doesn't work on iPhone and iPad. It doesn't have a usb-c connector.
FIDO U2F Security Key (Yubico), $18Pros: It's the cheapest.Cons: It only works on desktop devices, no phones & tablets.
Yubikey 4C, $50Pros: It has a usb-c connector.Cons: It only works on desktop devices, no phones & tablets.
Below is an example of me adding my Gmail account on my iPhone after I’ve enabled Advanced Protection. To reiterate, you have to log in using Google Smart Lock, and then you have to you the Gmail app (or Inbox) — Apple Mail won’t work anymore.
From left to right: launch Smart Lock and add a new account, enter your email address, enter your password, tap on the security key (the very first time you use the security key with your iPhone you’ll be asked to pair it by long pressing for a few seconds.)
If you tried Advanced Protection on iOS, I’d like to hear how your experience was. Did you try other security keys? Did you, like me, buy the wrong ones? :) Did you find other apps to be tricky or not working? Feel free to use the comments below or reach out to me on Twitter @0x0ece.
P.S: And if you’re interested in security and authentication, you may also want to check out MemPa, a new password manager that I just happened to release.