Google has introduced the Advanced Protection Program. As far as I can tell, these are the big takeaways:
To provide the strongest defense against phishing, Advanced Protection goes beyond traditional 2-Step Verification. You will need to sign into your account with a password and a physical Security Key. Other authentication factors, like codes sent via SMS or the Google Authenticator app, will no longer work.
A physical key being a Yubikey in this case, looks like.
When you sign up for new apps or services, you are sometimes asked for access to your data, like your emails or documents. By giving permission, you might introduce vulnerabilities that could be used to access your personal data. For example, an app you trust could be exploited or impersonated.
To protect you from this threat, Advanced Protection will automatically limit third-party apps from accessing your most sensitive data – your emails and your Drive files.
I suspect this is going to be implemented more broadly over time to non-Advanced Protection accounts, but we’ll see.
A common way that hackers try to gain access to your account is by impersonating you and pretending they have been locked out of your account.
To provide you with the strongest safeguards against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account.
Another thing that will probably see parts trickle to mainstream account protection, but yeah.
Looks like it’s intended to target high-risk Google users as customers, but it’s free, so I’m imagining a number of tech folks will hop on board too. Looking into signing up for it myself this morning.
I’d like to write up something about the WPA2 flaw ongoing but I’m waiting for a bit more to develop.