Google Offers Strongest Gmail Security for Those Who Need It Most
The vast majority of Gmail users do not have to worry about being the victim of a targeted attack. However, there journalists, campaign staff, and political dissidents who often come under spear phishing attacks, sometimes by state sponsored actors. To address the needs of this minority of Gmail users, Google has introduced the Advanced Protection Program (APP). APP is ideal for individuals who are at an elevated risk of attack and are willing to trade some convenience for improved security. Anyone with a personal Gmail account (GSuite is not supported) can sign up for APP.
APP differs from normal Gmail in a few ways.
APP requires 2-factor authentication using only a hardware token for every log in attempt. Less secure 2-factor authentication methods such as SMS, Google Authenticator, and secondary e-mail are not allowed. A USB U2F token (such as YubiKey) is required for desktop and laptop computers and a Bluetooth Low Energy (BLE) token is required for iOS and Android.
OAUTH is disallowed, except for Google Applications. This prevents the accidental sharing of information to a third-party application.
For iOS and Android, native mail clients cannot be used. The official Google Gmail or Inbox app is the only method available for mobile access.
On a desktop or laptop, a U2F compatible browser such as Google Chrome must be used. (Firefox will be supported soon)
Account recovery is not as simple as answering a secret question or receiving an SMS message. Additional identity verification steps are required including a “waiting period” before a lost or forgotten password can be reset.