Guard against targeted attacks

Protect users with the Advanced Protection Program

This feature is available in all G Suite and Cloud Identity editions.

Advanced Protection helps you protect users who are at risk for a targeted attack, such as:

  • G Suite and Cloud Identity super admins or delegated admins
  • Political campaigns
  • Activist groups
  • Celebrities
  • Journalists
  • Business leaders
  • Firms dealing with cryptocurrencies
  • Law firms

Targeted attacks could be low volume, carefully crafted, phishing attacks, often personalized to individuals, and can be hard to distinguish from legitimate activity. This makes targeted attacks the hardest to protect against. The Advanced Protection Program is specifically designed to thwart targeted online attacks on Google accounts.

What is the Advanced Protection Program? 

The Advanced Protection Program is designed to protect Google accounts against targeted online attacks. It's available for consumer as well as Enterprise Google accounts. The Advanced Protection Program includes a curated group of high-security policies that are applied to enrolled accounts. Additional policies may be added to the Advanced Protection Program to ensure the protections are current.

Advanced Protection allows you to apply all of these protections at once, and override similar settings you may have configured manually. These policies include:

  • Strong authentication with security keys
  • Use of security codes with security keys (as needed)
  • Restrictions on third-party access to account data
  • Deep Gmail scans
  • Google Safe Browsing protections in Chrome (when users are signed into Chrome using the same identity as their Advanced Protection Program identity)
  • Account recovery through admin

Advanced Protection Program security policies

Users enrolled in the Advanced Protection Program are protected by these security policies:

  • Strong authentication with security keys. Advanced Protection Program enforces the use of security keys for sign-in. It uses 2-Step Verification policies. You don’t have to configure 2-Step Verification policies separately, and Advanced Protection Program settings take precedence over 2-Step Verification policy settings if they are configured. Security key usage is enforced even if a domain is using a third-party IdP. Users register their keys when they enroll in Advanced Protection Program.
  • Use of security codes with security keys (as needed). If your users use platforms or browsers that don’t support security keys natively, such as Microsoft Internet Explorer, you can allow users to sign in and authenticate with a special, one-time security code. Users can generate this code only on a device and browser that supports security keys, like Chrome.

    Using security codes with security keys weakens security. But your organization might have important workflows where security keys can’t be used directly, and in that case, security codes are required. Using security codes with security keys, while not the most secure option, is still better than using no security keys.

    There are security code options that control the security codes your users generate. These options give users provide tradeoffs between convenience and security. Go to Enable user enrollment in the Advanced Protection Program for details.

  • Restrictions on third-party access to account data. Apps that require high-risk scopes are blocked unless they're explicitly trusted by admins, or on the default list of trusted apps.

    Default trusted apps available for Advanced Protection are:

    • Google native apps
    • Apple Native iOS apps
    • Apple Mail on macOS
    • Mozilla Thunderbird
  • Deep Gmail scans. Enhanced pre-delivery scanning of incoming email is automatically enabled to identify  phishing attempts. Also, for eSKU users the security sandbox feature is turned on to provide deep scanning of attachments for unknown malware.
  • Google Safe Browsing protections in Chrome.  Reduces a user exposure to risky downloads in Google Chrome. When signed into Chrome using the same identity as their Advanced Protection Program identity, users receive warning if Google Safe Browsing can't verify that a file is safe. This warning tells users to proceed with caution and check the reputation of the source of the file to be sure the file is safe to download.
  • Account recovery through admin. Advanced Protection includes strict account recovery for users who have lost their security keys have to come to you to regain access to their account.

Admin requirements

Advanced Protection Program enrollment can be enabled by these admins:

  • Super admin or delegated admin with the privilege Security > Security Settings.

What’s next: enable user enrollment

Was this helpful?
How can we improve it?