Beyond Passwords: 2FA, U2F and Google Advanced Protection


Last week I wrote a couple of different pieces on passwords, firstly about why we’re going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn’t be in a position where we’re still dependent on passwords and people needing to understand good password management practices in order for them to work properly.

This week, I wanted to focus on going beyond passwords and talk about 2FA. Per the title, not just any old 2FA but U2F and in particular, Google’s Advanced Protection Program. This post will be partly about 2FA in general, but also specifically about Google’s program because of the masses of people dependent on them for Gmail. Your email address is the skeleton key to your life (not just “online” life) so protecting that is absolutely paramount.

Let’s start with defining some terms because they tend to be used a little interchangeably. Before I do that, a caveat: every single time I see discussion on what these terms mean, it descends into arguments about the true meaning and mechanics of each. Let’s not get bogged down in that and instead focus on the practical implications of each.

Read more…