Google on Tuesday launched a set of more stringent security measures for its account holders in response to an increase in the use of sophisticated, targeted hacking techniques that comuter security firms say are often politically motivated.
“There is an overlooked minority of our users that are at particularly high risk of targeted online attacks,” Google said in a blog post. “For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.”
The setting makes it more difficult for attackers to access users’ accounts, in part because it requires the use of a hardware key to log in – a USB device for desktops and laptops and a Bluetooth unit for mobiles.
If that key is lost Google said users would have to pass through a much more arduous process to regain entry to their accounts.
The company didn’t disclose how account recovery is structured, but an executive who was briefed by Google said it includes a period of time in which the account would remain locked while the user passes identity checks.
Joseph Lorenzo Hall, chief technologist at the Centre for Democracy and Technology (CDT), said the slower recovery scheme is intended to make account recovery a less attractive way for hackers to bypass other security protections.
Another provision means third-party tools will be locked out of Google accounts, preventing hackers from siphoning data using their own software.
In practice, that also means, for instance, that users can’t access their Gmail messages from Outlook, Thunderbird or the email client built into iPhones and iPads. At launch, users with Advanced Protection switched on will only be able to access their Google accounts using Google’s own browser, Chrome.
Google said the features offered under the new security setting would be updated over time. As launched, they are designed to counter threats of the kind that have led to high-profile hacks in recent months.
Convincing phishing attacks of the kind that led to the theft of the Gmail login credentials of Hillary Clinton campaign manager John Podesta last year would have been blocked by the hardware key requirement, for instance.
Another scheme in May that tricked Google Docs users into granting account access to a malicious web application might also have been stymied by the provision that prevents access by third-party software.
But Google will also have to ensure its accounts remain reasonably usable even with the new protections applied.
As researchers have noted in the past, security protections are only effective if users choose to use them, and if they’re overly stringent few are likely to switch them on.
How well do you know the cloud? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…