How to Protect your G Suites accounts
and Emails from being Hacked

Get Googles
“Advanced Protection Program”

Guard against targeted attacks

Protect users with the
Advanced Protection Program

Advanced Protection helps you protect users who are at risk for a targeted attack, such as:

<style=”text-align: center;”=””> Google Workspace and Cloud Identity super admins or delegated admins
Political campaigns
Activist groups
Celebrities
Journalists
Business leaders
Firms dealing with cryptocurrencies
Law firms

Targeted attacks could be low-volume, carefully crafted, phishing attacks, often personalized to individuals, and can be hard to distinguish from legitimate activity. This makes targeted attacks the hardest to protect against. The Advanced Protection Program is specifically designed to thwart targeted online attacks on Google accounts.

What is the Advanced Protection Program?

The Advanced Protection Program is designed to protect Google accounts against targeted online attacks. It’s available for consumers as well as enterprise Google accounts. The Advanced Protection Program includes a curated group of high-security policies that are applied to enrolled accounts. Additional policies may be added to the Advanced Protection Program to ensure the protections are current.

Advanced Protection allows you to apply all of these protections at once, and override similar settings you may have configured manually. These policies include:

Strong authentication with security keys
Use of security codes with security keys (as needed)
Restrictions on third-party access to account data
Deep Gmail scans
Google Safe Browsing protections in Chrome (when users are signed into Chrome using the same identity as their Advanced Protection Program identity)
Account recovery through admin

Advanced Protection Program security policies

Users enrolled in the Advanced Protection Program are protected by these security policies:

Strong authentication with security keys. Advanced Protection Program enforces the use of security keys for sign-in. It uses 2-step Verification policies. You don’t have to configure 2-Step Verification policies separately, and Advanced Protection Program settings take precedence over 2-Step Verification policy settings if they are configured. Security key usage is enforced even if a domain is using a third-party IdP. Users register their keys when they enroll in the Advanced Protection Program.
Use of security codes with security keys (as needed). If your users use platforms or browsers that don’t support security keys natively, such as Microsoft Internet Explorer, you can allow users to sign in and authenticate with a special, one-time security code. Users can generate this code only on a device and browser that supports security keys, like Chrome. Using security codes with security keys weakens security. But your organization might have important workflows where security keys can’t be used directly, and in that case, security codes are required. Using security codes with security keys, while not the most secure option, is still better than using no security keys. There are security code options that control the security codes your users generate. These options give users tradeoffs between convenience and security. Go to Enable user enrollment in the Advanced Protection Program for details.
Restrictions on third-party access to account data. Apps that require high-risk scopes are blocked unless they’re explicitly trusted by admins, or on the default list of trusted apps. Default trusted apps available for Advanced Protection are:

Google Native Apps
Apple Native iOS Apps
Apple Mail on MacOS
Mozilla Thunderbird

Deep Gmail scans. Enhanced pre-delivery scanning of incoming emails is automatically enabled to identify phishing attempts. Also, for Enterprise users the security sandbox feature is turned on to provide deep scanning of attachments for unknown malware.
Google Safe Browsing protections in Chrome.  Reduces a user’s exposure to risky downloads in Google Chrome. When signed into Chrome using the same identity as their Advanced Protection Program identity, users receive a warning if Google Safe Browsing can’t verify that a file is safe. This warning tells users to proceed with caution and check the reputation of the source of the file to be sure the file is safe to download.
Account recovery through admin. Advanced Protection includes strict account recovery for users who have lost their security keys and have to come to you to regain access to their accounts.

Admin requirements

Advanced Protection Program enrollment can be enabled by these admins:

Super admin or delegated admin with the privileged  Security Settings

What’s next: enable user enrollment

Enable user enrollment in the Advanced Protection Program