* The security keys I’m using today are FEITIAN ePass FIDO and MultiPass FIDO

After getting the two security keys, just follow the guide and add 2 security keys on your PC. Nothing tricky.One thing that may need to be mentioned is that it seems Google does not allow security key registration from mobile devices. Which means that you have to register from your PC and then you can use it on your mobile phones. Oh, one last remind, Google Chrome browser is needed.

Google has been using security key in 2-step verification for quite some time. And I am also using security key on my personal Google account. So here I am wondering how do the Advanced Protection Program deal with my old keys which are already registered with my account. And the result is, enabling the advanced protection will remove ALL OF the 2-step verification methods you were using before in this account. You can no longer log in to the account by using SMS OTP, Google Authenticator, Voice OTP call or E-mail. And the security keys you were using before will also be removed (You do can register your old keys again though).

This clearing is a little bit surprising but on the other hand, makes me feel pretty good. Having multiple measures for verification definitely offers better user experiences, as users can always find a way to log in their accounts. However, from the security perspective, this also means giving hackers more possibilities to access your accounts. It is well known that one-time password is not a very strong verification method as opposed to security key. Now you see the problem, the option of using OTP will always low the security level of your account no matter what other methods you have enabled. Hackers can always choose to use OTP to log in.

This problem got solved in Advanced Protection as you can only use security keys for the 2-step verification.

Google accounts can be accessed by so many applications from different platforms. The next step for this test is to find out whether an Advanced Protection enabled account can be used smoothly in different platforms without unexpected errors or vulnerable methods that can avoid the verification.

Android:There is no doubt that Android should have the best compatibility on Google account as they are from the same family. It is impressive that you do not need to install anything on your Android phone to use security keys to log into your Google account. All of the needed functions are available in Google Play.

The test result shows that Google did a nice job on Android. I tried to log in my G-mail account from G-mail app and browser. They both automatically called and jumped to Google Play and force you to verify with the security keys.

Most of the mobile phones have Bluetooth. You can always use the Google recommended FEITIAN MultiPass FIDO security key to verify over your Android phone with Bluetooth. The first time you will need to pair the security key with your phone.

And if your phone has an NFC sensor, you can also choose to tap the security key to NFC sensor to pass the verification. For me, as I am a super lazy person, I prefer to user NFC. Tap and done, very handy.

Conclusion:
The Google Advanced Protection Program certainly increased the security of protected Google account to a very high level. As Google said, a niche group of people will love it. However, cybersecurity will finally be an issue for everyone. The security key is mandatory in this Advanced Protection Program, but the Program is not mandatory for every Google account.
Common users tend to care more about experience than security, which is not expected from the security perspective. Google’s next target should be setting a stronger guide and letting more users try and be protected by this program.

About the compatibility and user experience, nothing to complain, it works smoothly for mobile platforms. A little issue though, I would like to have more user notifications, especially on the Bluetooth pairing in iOS.

Click HERE to get user manual
Click HERE to get all SDK and datasheet