Google's Advanced Protection Program with iPhone and iPad

Written by 0x0ece | Published 2017/12/13
Tech Story Tags: two-factor-authentication | data-protection | ios | security | iphone

TLDRvia the TL;DR App

This is the first in a series of blog posts about my experience with Google’s Advanced Protection Program, recently launched to strengthen the security of your Google account. In this post we’ll focus on how it works with iOS devices.

Advanced Protection is primarily intended, as Google suggests, for “journalists, activists, business leaders, and political campaign teams.” I think it’s a great tool for everyone, especially if you’re concerned about the security of your Google account, such as if it’s the recovery email of your bank account, or if you use a regular gmail account for your projects or small business.

In short, if you have an iPhone or iPad and you want to enable Advanced Protection:

  1. You have to buy two security keys, and I recommend you the Feitian MultiPass and/or the DIGIPASS SecureClick ($50–80, read more below on “How do I buy the right security key.”)
  2. On your iPhone/iPad you have to install the Google Smart Lock app, and use that to log in into your Google account.
  3. You have to use a regular gmail account — company accounts aren’t yet supported.

Before you get started, though, you may also want to know that after enabling Advanced Protection:

  • You’ll be logged out from all devices, so make sure you do so when you have time to log back in.
  • You’ll have to use Gmail (or Inbox) and Google Calendar. Other apps like Apple Mail and Calendar, won’t work anymore. Personally, I was already using the Google apps, but if you aren’t, you may want to give them a try in advance and see if you like them.

How does it work?

Go to Google’s Advanced Protection Program page, click “Get Started,” and follow the steps to register your two security keys, and enable Advanced Protection. Once it’s on, Google will ask you to enter your password and then physically tap a security key every time you log in from a new device or browser. This means you’ll always want to have a security key with you, for example on your key ring. Note that you just need one key to log in. The other one is a backup that you can keep safely at home in case you lose or break the first one.

Why do I need it?

You need Advanced Protection to protect you against targeted online attacks, and in particular phishing. You’ll be protected from phishing sites that attempt to steal your login credentials, and from malicious sites that try to get access to your Gmail or Google Drive data.

On the left, a phishing website pretending to look like Google to steal my login credentials. On the right, a malicious website requesting access to my Google Drive data. Advanced Protection blocks both attacks.

How is this different from two-factor authentication?

Advanced Protection is a form of 2FA, in fact the strongest one. Other mechanisms like SMS or time-based codes don’t protect you against sophisticated phishing.

What if I lose or break my security key?

That’s why you have two.

What if someone steals my security key?

That’s why you ALSO have a strong password. You can revoke your lost security key anytime, and replace it with a new one.

How do I buy the right security key?

For iOS, the only security keys I was able to find and test are the Feitian MultiPass, the same recommended by Google, and the DIGIPASS SecureClick, recommended in this survey.

Yubikeys don’t work with Advanced Protection on iPhone and iPad(I discovered it only after I bought them already — I should have read more carefully.)

In the list below I’m summarizing the main options, with pros and cons of each one.

  • Feitian MultiPass, $25Pros: It works on desktop, Android and iOS devices.Cons: It doesn't have a usb-c connector (e.g., for the new Macbook Pro.)

  • DIGIPASS SecureClick (my choice, mostly aesthetic), $39Pros: It works on desktop, Android and iOS devices.Cons: It doesn’t have a usb-c connector (e.g., for the new Macbook Pro.)

  • Yubikey NEO, $50Pros: It's nicer looking and fits better in a key ring than the Feitian.Cons: It doesn't work on iPhone and iPad. It doesn't have a usb-c connector.

  • FIDO U2F Security Key (Yubico), $18Pros: It's the cheapest.Cons: It only works on desktop devices, no phones & tablets.

  • Yubikey 4C, $50Pros: It has a usb-c connector.Cons: It only works on desktop devices, no phones & tablets.

How does it work on iPhone?

Below is an example of me adding my Gmail account on my iPhone after I’ve enabled Advanced Protection. To reiterate, you have to log in using Google Smart Lock, and then you have to you the Gmail app (or Inbox) — Apple Mail won’t work anymore.

From left to right: launch Smart Lock and add a new account, enter your email address, enter your password, tap on the security key (the very first time you use the security key with your iPhone you’ll be asked to pair it by long pressing for a few seconds.)

If you tried Advanced Protection on iOS, I’d like to hear how your experience was. Did you try other security keys? Did you, like me, buy the wrong ones? :) Did you find other apps to be tricky or not working? Feel free to use the comments below or reach out to me on Twitter @0x0ece.

P.S: And if you’re interested in security and authentication, you may also want to check out MemPa, a new password manager that I just happened to release.

Written by 0x0ece | Making the open source @SoloKeysSec and the @Everdragons2 NFT. Former security at Pinterest, now at Jump.
Published by HackerNoon on 2017/12/13
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy