Why won’t the password just go away? The silly pet names, movie titles or sports teams that many people punch in to get into their online accounts are a weak spot that hackers continue to puncture.
Yet passwords remain the primary way we log in to online accounts containing our personal and financial information. Google has a new pragmatic solution: Embrace the password, but lock it down with extra physical security.
The company this month released its Advanced Protection Program, which is meant to make stealing your password pointless. To use it, you’ll need two inexpensive physical keys to log in to your Google account on your computer and smartphone.
This way, even if hackers stole your password in a data breach or successfully phished for it, by tempting you to hand over your credentials on a fake login page, they couldn’t do anything unless they got their hands on the keys as well. And minimizing risk with minimal effort is a boon to anyone who cares about online security.
“I am a big fan of this,” said John Sabin, a former hacker for the National Security Agency. “It’s probably the easiest and most secure multifactor for the masses.”
The physical keys are an evolution of two-factor authentication, an extra security layer to ensure that your password is being entered by you. Google was one of the first companies to start offering two-factor authentication back in 2010, not long after it learned that it had been hacked by state-sponsored Chinese hackers.
After the attack, Google’s security team came up with a motto: “Never again.” The company later rolled out two-factor authentication for Google customers’ Gmail accounts. It involved text messaging a unique code to your phone that you must type in after entering your password in order to log in.
Unfortunately, those text messages can be hijacked. Last month, security researchers at Positive Technologies, a security firm, demonstrated how they could use vulnerabilities in the cellular network to intercept text messages for a set period of time.
The idea of Google’s Advanced Protection Program is to provide people with a physical device that is much harder to steal than a text message. Google is marketing the program as a tool for a tiny set of people who are at high risk of online attacks, like victims of stalking, dissidents inside authoritarian countries or journalists who need to protect their sources.
But why should extra-tough security benefit such a small group? Everyone should be able to enjoy stronger security.
So we tested Google’s Advanced Protection Program and vetted it with security researchers to see if the program could be used by the masses. The verdict: Many people should consider signing up for the security system and buying a pair of keys. But if you are married to some non-Google apps that are not yet compatible with the keys, you should wait and see if the program matures.
Setting Up Advanced Protection
Anyone with a Google account can sign up for the security program on Google’s Advanced Protection webpage. To get started, you will have to buy two physical keys for about $20 each. Google recommends buying one from Feitian and another from Yubico.
The keys, which look like thumb drives and can fit on your key chain, contain digital signatures that prove you are you. To set one up, you plug the key into a computer USB port, tap a button and name it. (The Feitian key wirelessly communicates with your smartphone to authenticate the login.) This process takes a few minutes.
On a computer and a smartphone, you need to log in with the key only once, and Google will remember the devices for future logins. That is more convenient than traditional two-factor authentication, which requires entering a unique code each time you log in.
But there are trade-offs. Google’s Advanced Protection cuts off all third-party access by default, allowing only applications that support its security keys. For the time being, that means only Google’s Gmail mail app, Google’s Backup and Sync app, and Google’s Chrome browser.
On an iPhone, for example, you will have to use Google’s Gmail or Inbox apps for email, and on a computer, you can use only the Chrome browser when signing in with a browser. So if you rely on Apple Mail to gain access to your Gmail on an iPhone, or if you use Microsoft Outlook for getting into Gmail on a PC, you’re out of luck. Google says its goal is to eventually allow third-party apps to work with the program, but it is also up to other companies to update their apps to support the keys.
Testing the Security
Despite the drawbacks, security researchers agree that the Advanced Protection Program is a solid piece of security and relatively painless to use, even for everyday use for people outside high-security jobs.
Mr. Sabin, the former N.S.A. hacker, who is now a director of network security at GRA Quantum, a security consulting firm, said the physical keys had pros and cons. On one hand, if you lose a key, a hacker would have a hard time figuring out which account it was associated with.
On the other hand, if you lose the keys or don’t have the keys around when you need to log in to a new device, it takes longer to regain access to your account. Google has put in place more elaborate recovery steps for Advanced Protection users, including additional reviews and requests for details about why users have lost access to their account. In our test, we answered security questions to try to recover an account, and Google said it would review the recovery request and respond within a few days.
Runa Sandvik, the director of information security at The New York Times, said the keys were not much of a hassle. She said Google’s requirement of using two keys meant you essentially had a spare: If you lose one key, you can get into your account with the remaining key.
But she noted that the keys could get annoying if you used many devices and constantly needed to carry the keys around to log in to your account. That may be an issue for people who work in the technology industry, but most people probably use only one computer and one phone.
Ms. Sandvik, who has been testing Google’s program to assess whether to recommend it to the newsroom, said she had not yet discovered vulnerabilities in the security key system outside of the slim possibility that a hacker gained possession of both your password and your key.
“It’s something that is relatively easy to set up once you have both keys,” Ms. Sandvik said. “I don’t see a reason you shouldn’t turn this on.”
The Bottom Line
While the security keys are easy to set up and provide tough security, they may be disruptive to your productivity if you rely on apps that are incompatible with the keys.
It took a few minutes for us to migrate to Google’s apps from Apple’s and integrate them into our newsroom workflow, which already relies on Google’s mail, messaging and cloud storage services. But using the keys required sacrificing an important feature — Apple’s V.I.P. alerts, which notify you when people you deem important email you. Google’s iOS apps for Gmail and Inbox lack a similar feature. For people with flooded inboxes, lacking V.I.P. alerts makes sifting through emails time-consuming.
Another example of how the keys can stifle productivity: Many employers still require using the Microsoft Outlook app for email, which won’t work with the keys.
If using Google’s security program would disrupt your work, you may want to wait for more companies to update their apps to support the keys, which rely on a standard called FIDO, for Fast Identity Online. Mr. Sabin predicts that many apps will follow Google’s lead.
If you decide to wait, don’t procrastinate on turning on traditional two-factor authentication that relies on text messages. While it is hackable, it is still much safer than relying on a password alone to protect you.
The question is how long it will take security researchers to find a way to hack the physical keys as well. When asked if he had already circumvented physical multifactor authentication devices like Google’s keys, Mr. Sabin would offer only: “No comment.”
The New York Times