Guard against targeted attacks

Advanced Protection Program FAQ

This feature is available in all G Suite and Cloud Identity editions.

Go to Common questions with Advanced Protection for additional Advanced Protection Program FAQs.

Authentication behavior

We use a third-party identity provider(IdP), such as Okta, for our primary authentication. Then we federate into Google. Will the Advanced Protection Program work for us?

Yes. You can use the Advanced Protection Program with accounts that federate from an IdP using SAML. When users with these accounts enroll in the Advanced Protection Program, we’ll require security key use after the user signs in on the IdP. Note that SAML users can select Remember the device to avoid challenges on a browser or device.

Why do we need two security keys?

Two security keys are required for added assurance. If one key is lost or damaged, users can use the second key to regain account access.

Do users need to use security keys each time they sign in to G Suite?

The behavior is the same as for users who are not enrolled in the Advanced Protection Program. In general, users are remembered on the device or browser they sign in to, and 2SV challenges do not occur during future sign-ins on that same browser or device. Also, there’s an Admin control that can prevent users from using security keys.

How can security keys be used on iPhones?

You can use Bluetooth Low Energy (BLE) security keys to communicate with mobile devices and authenticate your Google account. During the sign-in process, you are prompted to download and use the Google SmartLock app from the Apple appstore. SmartLock is required to communicate with the BLE security key. 

I need to use Concur on my Android phone and the authentication flow does not support security keys. What do I do if my Google account policy is limited to only security keys?

More browsers, applications, and services are support web-based authentication and have native support for security keys. However, there are a number of use cases where security keys can't be used. These are legacy platforms like Internet Explorer, or legacy native mobile apps that use embedded WebViews. Also, if you're using Chrome Remote Desktop on a remote workstation, you might not be able to plug a security key into that remote USB port.

For these cases, we support security codes. Security codes are one-time use codes generated by users with a security key on a platform that supports them.

Security codes are optional for users in the Advanced Protection Program in the same place where enrollment itself is allowed. Note that using security keys directly is more secure than also using security codes, and we recommend that admins use caution when allowing users to use security codes.

Applications access

Why is access to apps being controlled?

By default, apps that require high-risk Gmail and Google Drive access are automatically blocked. Exceptions are all Google apps, Apple native iOS apps, and the Mozilla Thunderbird mail client.

Don’t users have to authorize explicitly for any app? How is this adding value?

Users can be tricked into giving high-risk access to apps. The Advanced Protection Program is intended to protect the highest risk users, so we want to control this app phishing threat.

Some apps are critical for our business. How can I allow them to be used?

Admins can approve the access of certain connected apps. The Admin initialized list of approved apps is honored and any app that is considered high-risk (see above) and not in the admin approved list is blocked.

We use GCDS and GSPS for synching identities and passwords with our on-premises source of truth. Will they be blocked, or are they allowed access?

Google first party apps, including GCDS and GSPS, are automatically allowed access without any admin action.

Gmail scanning

What additional Gmail protections do Advanced Protection Program users get?

Advanced Protection Program users with appropriate licenses get enhanced pre-delivery scans and Security Sandbox enabled. Enhanced pre-delivery scans are available for all G Suite editions. Security Sandbox is only available to Enterprise edition users.

Was this helpful?
How can we improve it?