Google today announced updates to its Advanced Protection Program (APP), including the option for Apple iPhone users to use their smartphone as a security key instead of buying a separate physical key. It's also bringing easier enrollment for the program to iPhone and Android devices.
APP aims to bring stronger security protections to politicians, journalists, activists, business executives, and other high-risk individuals likely to be targeted with cyberattacks. It's difficult to define what makes these people vulnerable, as it depends on who they are and what they do. Politicians may be at higher risk during an election year; some activists may be targeted by their own governments. Journalists may be at higher risk if they're in a war zone or certain countries.
Some are at risk because of their worth. Shuvo Chatterjee, product manager with Google's APP, points to cryptocurrency investors as an example. "Time and time again we see people bragging on Twitter about how much they have, and they become a target," he explains.
The APP was introduced to defend against phishing attacks and protect data by limiting access to information and adding extra account verification. Only Google apps and select third-party apps can access emails and Drive files, for example. Users must have a physical security key.
While participants like the program, Chatterjee says, many found the security key difficult from a usability standpoint. "It's still this strange thing for most people," he explains. "They don't understand what it is; it's still another thing you have to carry around." The APP previously required the use of two physical security keys, which would turn people away when enrolling.
Last year, Google gave Android users the option to use their phone as a physical security key. Android devices running version 7.0 (Nougat) or later could double as keys to be used for two-factor authentication when logging into personal Google accounts and G Suite or Google Cloud.
Expanding the same option to iPhones presented more of a challenge. When Android devices became compatible as security keys, APP users with iPhones were still required a particular Bluetooth security key. "It's one thing when you own the platform," Chatterjee says, noting that Google could make changes to the Android OS so it could be used as a physical security key. Doing the same for iPhone meant a partnership with Apple and more time to offer the feature.
Now, Google is giving iPhone users running iOS 10 or later the option to turn their phone into a security key. "This opens the door for a lot more people who were maybe hesitant to enroll in advanced protection," he adds. To activate a security key on iPhone, users need to first download and sign into the Google Smart Lock app. Android users can activate and enroll here.
High-Profile Users, Low-Level Security
Google has also shared findings from a new survey conducted with The Harris Poll. Researchers surveyed 500 high-risk users living in the US to learn more about their security practices.
The results indicate a need for stronger security hygiene among those at greater risk for targeted attacks. Most (78% of) respondents perceive themselves as being at higher risk of being hacked compared with the general population due to their job or online presence. Nearly two-thirds are more concerned about their online accounts being compromised today than they were one year ago; 86% are specifically concerned about work accounts being phished.
Nearly 70% of respondents report they have been the target of a phishing attack, and 39% have been compromised. Of those, 72% say the attack used personal information tailored to them.
Despite this, many high-risk users have risky security habits: 66% of them are using two-factor authentication, compared with 69% of the general population. More than three-quarters have used their personal email account to communicate with a work colleague or contact in the past year, and 71% reuse the same password for multiple accounts. Half don't use a security key.
"Most of them knew they were under high risk of being attacked personally in their digital lives," says Chatterjee. "But at the same time, most of them didn't take basic steps to improve their security posture."
Specifically, he is concerned about politicians' security practices given they are more likely to be targeted during an election year. Ninety percent of politicians surveyed are worried about work-affiliated accounts being compromised; 83% are concerned for their personal accounts.
While the threat landscape is constantly shifting, Chatterjee anticipates phishing will continue to be a primary concern for the year ahead. "There will be different shifts in 2020 but I think there are some things that are low-hanging fruit to attackers. If you're good enough at phishing and can trick enough people, eventually people will fall for it."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."