If you’re using a Gmail account for your business, that account is the key to your entire life. You may think two-factor authentication (2FA) is enough to keep criminals at bay, but SMS based 2FA can be easily bypassed.
The Problems with 2FA
Two-factor authentication is great for account security. Instead of just asking for a password, a 2FA-enabled account will send you a code over SMS or through an authenticator app to your phone, which you’ll have to enter to confirm it’s you. This is great, because if your password is stolen, the attacker still needs physical access to your phone.
At least, that’s how it’s supposed to work, but there’s one major caveat: even with 2FA based on authenticator apps (which don’t use SMS) your phone number still functions as the recovery device on you account. Not your phone, but your phone number. Meaning if someone takes control of your number, they now have access to your account.
This isn’t just a hypothetical—it’s incredibly easy to steal someone’s phone number. When I upgraded to a new phone at a Verizon store, they only asked for two things: my phone number and my birthday, both of which are publicly available (although your birthday generally shouldn’t be). They didn’t take my ID, they didn’t verify I was the account holder, they didn’t need my old phone, and they didn’t check my credit card. They simply gave me a new SIM card with my phone number linked to it, and I was out the door. But it could have easily been someone else’s number, and it could have easily been yours.
What’s worse is that a hacker in this attack wouldn’t even need your password, as basic Gmail accounts can have their passwords reset using just your phone number. The solution to this problem is to cut out the phone altogether, and not bet the control of your account on the laziness of Verizon’s retail workers.
Google’s Advanced Protection
Two-factor authentication is most commonly used with a phone, because everyone has one close by all the time. But they’re not the only device you can use.
These are Google’s Titan Security Keys. They’re key fobs that function as a two factor device; you can think of them like keys to your car, except they’re needed to log in to your Gmail account.
These keys can’t be stolen (short of someone pickpocketing you), and they can’t be phished, because real physical access is what they operate on. This authentication method is commonly called Universal Two Factor, or U2F. Titan keys aren’t the only key you can get either, there’s a standard called FIDO that governs how they should operate, and there are many of them on the market.
You can use this keys as a drop-in replacement for SMS 2FA, but they’re best used in combination with Google’s Advanced Protection Program. Advanced Protection requires you to use this key, and it locks down Account Recovery to be a much more arduous process, meaning no one can bypass your account’s 2FA and password by stealing your phone number (which is the main issue with regular authentication).
The main caveat is that they will lock your account down quite a bit. You won’t be able to use some third-party apps that require access to your data, and you’ll be forced to use Chrome or Firefox to access your signed-on Google services, though mobile Chrome will work fine.
How to Enable Advanced Protection
First, you’ll need some security keys. While you can use any key fob that is FIDO compliant, we recommend Google’s Titan keys as they will integrate best with their services and are officially supported.
The Titan keys are $50 for the pair. You’ll get one Bluetooth key, which is your primary key, and one that looks like a flash drive, which will be your backup key in case you lose the first. You should definitely keep these in separate places.
You’ll have to wait for them to ship, but once they arrive you’ll be able to enroll in Advanced Security Protection by linking both your keys.
After that, you’ll be signed out on all devices, requiring key fob access to sign back in, and your account is now as secure as a Google account can be.
For G Suite, things are a bit more complicated. Your G Suite administrator account (which must end with your domain name) currently can’t enable the Advanced Protection available to regular Google accounts, but you can still use your Titan key to enable key fob authorization.
The major thing to note is that this doesn’t give you the extended recovery protection offered to Advanced Protection users. You can get around this simply by removing your phone number from your recovery options, as it’s not necessary. Make sure to provide a backup email (which can be your regular Gmail account), in case you do forget your password. Also, recovery will be turned off automatically anyway if your G Suite domain has more than 3 admins or more than 500 users, to prevent attacks on large businesses.
Additionally, you can enforce Advanced Protection for all users under your G Suite. This forces them to use their own key fobs, and locks out SMS-based account recovery. Note that this is only for employee accounts, and not for your administrator account, as that needs its own setup.