Guard against targeted attacks

Protect users with the Advanced Protection Program

Advanced Protection helps you protect users who are at risk for a targeted attack, such as:

  • Google Workspace and Cloud Identity super admins or delegated admins
  • Political campaigns
  • Activist groups
  • Celebrities
  • Journalists
  • Business leaders
  • Firms dealing with cryptocurrencies
  • Law firms

Targeted attacks could be low volume, carefully crafted phishing attacks, often personalized to individuals and can be hard to distinguish from legitimate activity. This makes targeted attacks the hardest to protect against. The Advanced Protection Program is specifically designed to thwart targeted online attacks on Google accounts.

What is the Advanced Protection Program? 

The Advanced Protection Program is designed to protect Google accounts against targeted online attacks. It's available for consumer as well as enterprise Google accounts. The Advanced Protection Program includes a curated group of high-security policies that are applied to enrolled accounts. Additional policies may be added to the Advanced Protection Program to ensure the protections are current.

Advanced Protection allows you to apply all of these protections at once and override similar settings you may have configured manually. These policies include:

  • Strong authentication with security keys or passkeys
  • Use of security codes with security keys or passkeys (as needed)
  • Restrictions on third-party access to account data
  • Deep Gmail scans
  • Google Safe Browsing protections in Chrome (when users are signed into Chrome using the same identity as their Advanced Protection Program identity)
  • Account recovery through admin

Advanced Protection Program security policies

Users enrolled in the Advanced Protection Program are protected by these security policies:

  • Strong authentication with security keys or passkeys. The Advanced Protection Program enforces the use of security keys or passkeys for sign-in. It uses 2-Step Verification (2SV) policies. You don’t have to configure 2SV policies separately, and Advanced Protection Program settings take precedence over 2SV policy settings if they are configured. Security key or passkey usage is enforced even if a domain is using a third-party identity provider (IdP). Users register their keys when they enroll in the Advanced Protection Program. Users can use passkeys or security keys to enroll in Advanced Protection. Users also need to enter a recovery email address and phone number. Alternatively, users can add a backup passkey or security key.
  • Use of security codes with security keys or passkeys (as needed). If your users use platforms that don’t support security keys or passkeys, you can allow users to sign in and authenticate with a special, one-time security code. Users can generate this code only on a device and a browser, like Chrome, that support security keys or passkeys.

    Using security codes with security keys or passkeys weakens security. But your organization might have important workflows where you can’t use security keys or passkeys directly. In that case, security codes are required. Using security codes with security keys or passkeys, while not the most secure option, is still better than using no security keys or passkeys.

    Security code options control the security codes your users generate. These options provide users with tradeoffs between convenience and security. Go to Enable user enrollment in the Advanced Protection Program for details.

  • Restrictions on third-party access to account data. Apps that require high-risk scopes are blocked unless they're explicitly trusted by admins or on the default list of trusted apps.

    Default trusted apps available for Advanced Protection are:

    • Google native apps
    • Apple Native iOS apps
    • Apple Mail on macOS
    • Mozilla Thunderbird
  • Deep Gmail scans. Enhanced pre-delivery scanning of incoming email is enabled to identify phishing attempts. For Enterprise users, the security sandbox feature is turned on to provide deep scanning of attachments for unknown malware.
  • Google Safe Browsing protections in Chrome. These protections reduce a user's exposure to risky downloads in Google Chrome. When signed into Chrome using the same identity as their Advanced Protection Program identity, users receive a warning if Google Safe Browsing can't verify that a file is safe. This warning tells users to proceed with caution and check the reputation of the source of the file to be sure the file is safe to download.
  • Account recovery through admin. Advanced Protection includes strict account recovery for users who have lost their security keys and have to come to you to regain access to their account.

Admin requirements

A super admin or a delegated admin with the Security > Security Settings privilege can enable Advanced Protection Program enrollment.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
15303218043976354952
true
Search Help Center
true
true
true
true
true
73010
false
false