G Suite-based companies around the world can now add execs and other high-risk users to Google's Advanced Security Program, giving them the same level of security that Google has introduced for 100,000 employees.
A central piece of the Advanced Protection program is that it requires users to use a FIDO-compliant security key, such as Google's own Titan key or one from Yubico.
Although the keys helped Google block all phishing attacks against employees, they also created another major benefit: Google employees have not had to change their passwords for years.
"We, as Google employees – have included zero security incidents in our account hijacking after including security keys for us," Kartik Lakshminarayan, Google's director of product management, told ZDNet.
Lakshminarayanan says that in the three years since he joined Google from Microsoft, he has not changed his password even once thanks to the use of security keys. At Microsoft, he had to change his password every 90 days – a policy that Microsoft recently said was "ancient and outdated" and should be avoided.
"I have never changed my password in three years at Google. I only use security keys and I absolutely love it," he said. "I asked [my password] on my first day of orientation and I haven't changed it since. This is because we use security keys. "
Many organizations may find it difficult to require all employees to use security keys, but the new G Suite client program focuses primarily on high-risk and high-value accounts.
"We ask organizations to identify these high-risk users and enroll them in the enterprise program and protect themselves, making Google successful [in doing] to date, "said Lakshminarayanan.
"Businesses came to us and said, 'We also have many sensitive accounts, such as senior executives and HR managers, who could potentially click on something, expose themselves and put the wider company at risk,'" he added.
Google launches its enhanced security program for Gmail users at higher risk of phishing and account hacking attacks in 2017.
The program was initially offered to people such as politicians, journalists, activists, and senior executives. Participants can only access their accounts if they have a physical security key, such as a Google Titan key or a YubiKey key.
It also limits which third-party applications can access Gmail data through the OAuth standard. Apple Mail and Mozilla Thunderbird, for example, are the only email clients that have access to Gmail data after a user joins the program. Google has also raised the bar to verify user identity in an account recovery situation.
As mentioned a little confusingly, the existing advanced protection program is now available to senior business executives. The difference with the G Suite version is that G Suite administrators already have much more control.
Instead of, say, a single contractor signing up for the program and Google deciding which apps may or may not have access to Gmail data, the company's G Suite administrator can identify a group of high-risk users who need to be in the program and what applications must be approved.
It also offers G Suite reporting capabilities to see which users turn controls on or off.
"Think of missing controls and lack of visibility for the administrator," said Lakshminarayanan. "This is what is now being introduced. An administrator can take a more aggressive stance on choosing which users to receive and receive reports. This is a more rigorous cycle with the administrator. Previously, it was FIY [fix it yourself], exec can use it. "
The enterprise security suite will allow G Suite administrators to customize user experience, especially around applications that can use OAuth to access G Suite account data. Someone abused OAuth two years ago using a fake Docs app that gained access to millions of Gmail user accounts.
Users included in the program will need to use a FIDO-compliant physical security key. To improve usability, enrolled users may pair an Android phone with a security key, but they will still need a security key from the beginning.
Like the user version, G Suite imposes restrictions on applications that can use OAuth to access Gmail data, but IT administrators will be able to whitelist which applications can access Gmail data through OAuth.
"The G Suite administrator chooses applications to be trusted rather than trusted. The end user can live with this list because it comes from the administrator. But if the user wants to expand it, he can talk to the administrator and get that added, "said Lakshminarayanan.
Finally, the corporate program will do an additional scan for phishing emails and open attachments in a sandbox to check for malware.
Google also announced today the availability of its Titan keys in Canada, France, Japan and the United Kingdom.
More about G Suite and Google security