Is Google Advanced Protection the only safe way to use Yubikey?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Fri Mar 26, 2021 6:55 am why have dedicated hardware for a Google account then?
I don't know, I don't think it's necessary and I'm not aware of a security advantage.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

JohnFiscal wrote: Fri Mar 26, 2021 6:38 am
Lynette wrote: Thu Mar 25, 2021 10:41 pm Thanks. I seem to have misunderstood how APP works. I just ordered two Titan security keys. I bought a third Chromebook and have registered it with a new Google Account. It does not matter if I am locked out of it as it is for experimentation. The way I have 2FA set up now, it does not allow me to use SMS or Google Backup Codes as it did before I registered the Phones Security Key and Yubikeys.
Are you particularly buying a new Chromebook for each new Google account? Can't Chromebooks accept more than one Google account?

My impression from "Googling" is that they can handle multiple Google accounts. Even my tiny Google Pixel phone has three Google accounts, one with the Advanced Protection. It seems like there would be little risk in setting up your "throwaway" Google Account (the one you don't care if you lose access to), or rather accessing it, on one of the other Chromebooks.

I do understand that dedicated hardware is sometimes the best security solution.

Or perhaps there is a risk in accessing multiple Google accounts from a single hardware? I would like to know more of this risk.
Of course - one can use one Chromebook but the scammer scared me. So I bought a dedicated Chromebook for finance with a new email address. The new Chromebook is for experimentation! The next task is to open another 1Password account on my experimental Chromebook to see if it supports multiple Yubikeys for 2FA. I also bought a wonderful little Asus Zenbook for travel so that I can use Photoshop. I was down to 4 computers but now I am back up to 6! It gets a bit complicated!
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

After this thread I went out and bought Bitdefender (5 devices) and installed it on my Macbook Pro, Phones and PC.

Using GAP - with two Yubikeys and iPhone as key.

Can you share a little bit more about the ransomware experience w/o giving too much away? Would be beneficial to others - certainly for me.

Thanks for what you have shared - what a drag and hopefully it is long behind you.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

rebellovw wrote: Fri Mar 26, 2021 12:27 pm After this thread I went out and bought Bitdefender (5 devices) and installed it on my Macbook Pro, Phones and PC.

Using GAP - with two Yubikeys and iPhone as key.

Can you share a little bit more about the ransomware experience w/o giving too much away? Would be beneficial to others - certainly for me.

Thanks for what you have shared - what a drag and hopefully it is long behind you.
Sure. I bought a soil test from a university bookstore. They had a data breach. I did not pay much attention as my credit is frozen. I do not get many calls on my landline as the number is unlisted and I have had it for many years. Then I got calls:

1. Trying to get my Social Security number.

2. Trying to get my Medicare Number

3. Fraudulent charge on Capital One card

Capital One sent me an email asking if a charge embedded in a Paypal account was fraudulent. I confirmed it was and got a new card. There was another fraudulent charge - someone trying to wire money somewhere else. Capital One had reversed it. They issued me with a new card.

4. Ransom Demand for $6,000

I got an email in my scam folder from someone asking for $6,000 or else they would send something or other to my contacts. They correctly gave me a password
I had used. I was so unnerved that I deleted the email without examining it sufficiently. That was not the password for my main email account.

5. Another Fraudulent Charge on Capital One account

I thought that they had had enough of me but then there was another fraudulent charge on my new credit card. Capital sent me an email and I called back to confirm that the charge was fraudulent. This time they took it seriously and shut down my account. In another thread on Bogleheads I asked how the scammer did this. Someone kindly replied that the scammer marked the Paypal Account as recurring. Capital One automatically updated and used my new credit card number.

So this is why I now have 1Password and am locking down my email and financial accounts (where possible) with 2FA.

Thanks to you and everyone for assistance.

Lynette
Last edited by Lynette on Fri Apr 02, 2021 12:19 pm, edited 3 times in total.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

Yeah - we have a LAN line that came with our cable internet - and that line gets so many scammers - hello - this is Microsoft, hello this is Social Security etc - I used to curse them out - I'd act dumb and keep messing with them giving them wrong credit card numbers - telling them to hang on I'll be right back.... I only get one scam on my mobile - which is about a car warranty expiring which I have to immediately block - doesn't occur to often.

I installed a new phone on the LAN and that has blocked everyone - I've had only one call on that phone get through since I've had it (over two months) - my CPA! It shows that it has blocked over 50 calls (I had 3 blocked calls today.) I love it - finally peace and quiet.

No more politics, scams, donations etc - all gone.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

rebellovw wrote: Fri Mar 26, 2021 3:09 pm Yeah - we have a LAN line that came with our cable internet - and that line gets so many scammers - hello - this is Microsoft, hello this is Social Security etc - I used to curse them out - I'd act dumb and keep messing with them giving them wrong credit card numbers - telling them to hang on I'll be right back.... I only get one scam on my mobile - which is about a car warranty expiring which I have to immediately block - doesn't occur to often.

I installed a new phone on the LAN and that has blocked everyone - I've had only one call on that phone get through since I've had it (over two months) - my CPA! It shows that it has blocked over 50 calls (I had 3 blocked calls today.) I love it - finally peace and quiet.

No more politics, scams, donations etc - all gone.
Do you use Google voice? I bought a second Samsung phone with the possible objective of getting rid of my VOIP phone.

I was able to put the new play email account on my Samsung phone, enroll in APP on my experimental Chromebook, add the phone as a security key and add another 3 Yubikeys. I am becoming more comfortable with the idea of using APP on my two real accounts. I have cleared out most of the data from my email accounts and even many blogger accounts of my vacations. I never look at the stuff. I am also going to shred a lot of stuff I never use etc. etc. I guess I need to thank the scammer.

Thanks John and mpfan!

Lynette
simpletone
Posts: 79
Joined: Sat Oct 17, 2020 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by simpletone »

Lynette,

I will share that the patterns you identified (calls, emails, credit card fraud, etc.) are unfortunately becoming the norm for many people. I have lived with this for years. Once your info gets out there, it is a very difficult thing to get your digital life back. You are doing all of the right things, so your exposure will be reduced significantly; however, the noise level may never return to what it was (it has not for me).

Keep going, you are on the right track.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

Lynette wrote: Fri Mar 26, 2021 4:39 pm
rebellovw wrote: Fri Mar 26, 2021 3:09 pm Yeah - we have a LAN line that came with our cable internet - and that line gets so many scammers - hello - this is Microsoft, hello this is Social Security etc - I used to curse them out - I'd act dumb and keep messing with them giving them wrong credit card numbers - telling them to hang on I'll be right back.... I only get one scam on my mobile - which is about a car warranty expiring which I have to immediately block - doesn't occur to often.

I installed a new phone on the LAN and that has blocked everyone - I've had only one call on that phone get through since I've had it (over two months) - my CPA! It shows that it has blocked over 50 calls (I had 3 blocked calls today.) I love it - finally peace and quiet.

No more politics, scams, donations etc - all gone.
Do you use Google voice? I bought a second Samsung phone with the possible objective of getting rid of my VOIP phone.

I was able to put the new play email account on my Samsung phone, enroll in APP on my experimental Chromebook, add the phone as a security key and add another 3 Yubikeys. I am becoming more comfortable with the idea of using APP on my two real accounts. I have cleared out most of the data from my email accounts and even many blogger accounts of my vacations. I never look at the stuff. I am also going to shred a lot of stuff I never use etc. etc. I guess I need to thank the scammer.

Thanks John and mpfan!

Lynette
Yeah - I've also setup Google voice but have yet to use it for my 2FA on accounts that don't use an authenticator or key (ex all my banks.) I feel my phone is very secure but I may switch to G Voice - we'll see.

Anyhow - great info on what you went through it will definitely help others.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

Thanks to everyone for assistance. I am probably the long-suffering IT support staff's worst nightmare with my "experimentation". Google identified "suspicious activity" on my cellphone! It as me - with my "experimentation". I have assessed the risks I think that I face and tried to address them. For example, I do not back up computers as I don't have much of value to me that is not already backed up by other sources except for my lousy photos. I ruthlessly deleted content from email, google's blogger etc. that I did not think I needed anymore.

I now have three Google email accounts enrolled in Google's Advanced Protection Program. I have enabled two factor authentication on all websites where possible. As I am neurotic I have 8 Yubikeys! But except for Google and Vanguard (with its limitations), I do not have accounts at websites that use them. I use authenticators at Fidelity, Amazon, Adobe and Microsoft. I like them although I realize the risk if I lose my phone.

I absolutely love 1Password. It took some time to become comfortable with how to use it especially with some websites that have restrictions on the number of characters and symbols, etc. I have scanned images there of my passport, healthcare documents and even my Covid vaccination record and so forth. I also spent a lot of time reviewing questions for resetting my password on sites that use them and stored the answers in 1Password.

I have now had enough! I am going to return to my hobbies such as Photography and opportunities offered to me as a recent Master Gardener. However, I will review my financial accounts frequently.

Thanks so much!

Lynette
skis4hire
Posts: 101
Joined: Thu Oct 11, 2018 12:54 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by skis4hire »

I use authenticators at Fidelity, Amazon, Adobe and Microsoft. I like them although I realize the risk if I lose my phone.
For any sites that are authenticator-only, you can back up the authenticator data.
If you use a program like andOTP, you can literally export a backup file (option for password protected) that you can save to your computer or a USB stick, etc.

The other way is when setting up the authenticator, enter the same 'secret' (or scan the same QR code) into multiple authenticator apps - one on your phone, one on the chromebook or PC, different phone, etc.

You can actually use the Yubikey for this as well - with the Yubico Authenticator app on Android, iOS and PC. It functions just like any other authenticator app, but the data is saved to the Yubikey, so you need the key present for the app to generate the codes. (Must be Yubikey like 4,5, etc., not the Blue "Security Key by Yubico").
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

skis4hire wrote: Fri Apr 02, 2021 2:02 pm
I use authenticators at Fidelity, Amazon, Adobe and Microsoft. I like them although I realize the risk if I lose my phone.
For any sites that are authenticator-only, you can back up the authenticator data.
If you use a program like andOTP, you can literally export a backup file (option for password protected) that you can save to your computer or a USB stick, etc.

The other way is when setting up the authenticator, enter the same 'secret' (or scan the same QR code) into multiple authenticator apps - one on your phone, one on the chromebook or PC, different phone, etc.

You can actually use the Yubikey for this as well - with the Yubico Authenticator app on Android, iOS and PC. It functions just like any other authenticator app, but the data is saved to the Yubikey, so you need the key present for the app to generate the codes. (Must be Yubikey like 4,5, etc., not the Blue "Security Key by Yubico").
Thank you.
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

Lynette wrote: Fri Apr 02, 2021 12:41 pm I have 8 Yubikeys!
Awesome!

I have 4 keys. Had two older models and got new "5" series a couple months ago.

I keep track of these in an Excel spreadsheet (for better or worse). There's a formatted table that lists each key, its "nickname"...sites often ask for one, not that it is meaningful to them, and a checkmark indicating accounts that have the particular key registered. This is so I don't get confused on what key is used for a particular account; I always have at least 2 keys registered.

Some of the sites I use the keys on include: Vanguard, Twitter, Facebook, Norton (Symantec), Global Entry (for me and for my wife), and others.

In fact, the Excel spreadsheet I mentioned also includes any backup phone number used for SMS or other purpose associated with each log-in.

I keep the Excel spreadsheet on encrypted drives (main laptop drive and backup external drives). But I am so cautious with this particular file due to other contents that it itself is encrypted using the latest built-in Excel encryption, which is "full strength" these days. And I gave it a long "crypto" password.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

skis4hire wrote: Fri Apr 02, 2021 2:02 pm
I use authenticators at Fidelity, Amazon, Adobe and Microsoft. I like them although I realize the risk if I lose my phone.
For any sites that are authenticator-only, you can back up the authenticator data.
If you use a program like andOTP, you can literally export a backup file (option for password protected) that you can save to your computer or a USB stick, etc.

The other way is when setting up the authenticator, enter the same 'secret' (or scan the same QR code) into multiple authenticator apps - one on your phone, one on the chromebook or PC, different phone, etc.

You can actually use the Yubikey for this as well - with the Yubico Authenticator app on Android, iOS and PC. It functions just like any other authenticator app, but the data is saved to the Yubikey, so you need the key present for the app to generate the codes. (Must be Yubikey like 4,5, etc., not the Blue "Security Key by Yubico").
I thought I would try to import the Authenticator apps into a second phone. I set up a second Android phone and signed in with my gmail account. I had to use a Yubikey to sign in. I imported my data from the backup. It installed everything correctly except the Authenticators! It is a Microsoft Authenticator. I notice that Microsoft uses a Yubikey now. At some time in the future I will unenroll from the accounts where I use if and use a Yubikey for Microsoft. I will have to find another Authenticator. I cannot use Authy as I cannot remember the password I use for backup. I promised myself I would not "experiment" anyone and return to normal life!

Thanks!

Lynette
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

JohnFiscal wrote: Fri Apr 02, 2021 10:26 pm
Lynette wrote: Fri Apr 02, 2021 12:41 pm I have 8 Yubikeys!
Awesome!

I have 4 keys. Had two older models and got new "5" series a couple months ago.

I keep track of these in an Excel spreadsheet (for better or worse). There's a formatted table that lists each key, its "nickname"...sites often ask for one, not that it is meaningful to them, and a checkmark indicating accounts that have the particular key registered. This is so I don't get confused on what key is used for a particular account; I always have at least 2 keys registered.

Some of the sites I use the keys on include: Vanguard, Twitter, Facebook, Norton (Symantec), Global Entry (for me and for my wife), and others.

In fact, the Excel spreadsheet I mentioned also includes any backup phone number used for SMS or other purpose associated with each log-in.

I keep the Excel spreadsheet on encrypted drives (main laptop drive and backup external drives). But I am so cautious with this particular file due to other contents that it itself is encrypted using the latest built-in Excel encryption, which is "full strength" these days. And I gave it a long "crypto" password.
I am impressed with your knowledge of encryption. Windows 10 Pro is supposed to have encryption. I upgraded two PCs to Windows Pro at $99 each. I bought another small one for travel so that I can use Photoshop. It also has Windows Pro. I store any sensitive data on Google Drive or 1Passport.

Do you have a Yubikey NFC? If so, have you found a keychain for it that will allow you to remove it quickly. I am struggling to find such a keychain. I do not think the Yubikey can be on a keychain when you use it on the back of a phone.

Lynette
User avatar
kevinf
Posts: 843
Joined: Mon Aug 05, 2019 11:35 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by kevinf »

Lynette wrote: Sat Apr 03, 2021 9:47 am If so, have you found a keychain for it that will allow you to remove it quickly. I am struggling to find such a keychain. I do not think the Yubikey can be on a keychain when you use it on the back of a phone.

Lynette
https://www.amazon.com/gp/product/B00JBOUKTC/
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

I'm using a military type (like dog tags) ball chain neckless - just wear it at all times. I certainly don't carry my car keys all the time - too bulky and inconvenient.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

kevinf wrote: Sat Apr 03, 2021 12:08 pm
Lynette wrote: Sat Apr 03, 2021 9:47 am If so, have you found a keychain for it that will allow you to remove it quickly. I am struggling to find such a keychain. I do not think the Yubikey can be on a keychain when you use it on the back of a phone.

Lynette
https://www.amazon.com/gp/product/B00JBOUKTC/
Thanks - I ordered one. I have tried several!
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

rebellovw wrote: Sat Apr 03, 2021 12:11 pm I'm using a military type (like dog tags) ball chain neckless - just wear it at all times. I certainly don't carry my car keys all the time - too bulky and inconvenient.
Where do I buy one on Amazon?
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

I'm impressed with Yubikeys and I can throw money into redundancy by getting more. But as I was inexperienced when I tried to set up Authy, I am finding it impossible to recover. If I had saved photos of the bar codes, I may have been OK. Probably this is what makes it a secure app but there is minimal support even if you are willing to throw money at it.

I am using Microsoft Authenticator for Microsoft, Amazon and Adobe. I should have saved the bar codes during initial installation. They work very well while I am at home but if I lose my phone, I lose access to Microsoft, Adobe and Amazon. None of these are high value accounts as I don't have money with them and as they want my money for new products, there is probably some support or better documentation than Authy. Yubico Authenticator also gets bad reviews. Probably also inexperienced users like me.

I am also using Symantec VIP Access for Fidelity. It works like a charm and I only have 30 seconds to enter the number. But again I did not save the bar code. However, if I have problems, Fidelity support is great. In addition I can always march down to one of the two offices that are within three miles of my house.

In essence, these apps are working well but I am concerned about getting access to these accounts if my phone is lost or stolen or if I have to install them on a new phone. In time I will probably simply downgrade 2FA on them to sms. on Amazon, and Adobe. Yeah for my 8 Yubikeys and yeah for 1Passport that stressed again and again that I had to download and save the Barcodes.

Time for coffee and an ice cream cone and some exercise!
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

Lynette wrote: Sat Apr 03, 2021 12:54 pm
rebellovw wrote: Sat Apr 03, 2021 12:11 pm I'm using a military type (like dog tags) ball chain neckless - just wear it at all times. I certainly don't carry my car keys all the time - too bulky and inconvenient.
Where do I buy one on Amazon?
I ordered a titanium one for about 18.00 - check amazon 2.4 mm 30 inches (this is the standard military length)
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

rebellovw wrote: Sat Apr 03, 2021 1:39 pm
Lynette wrote: Sat Apr 03, 2021 12:54 pm
rebellovw wrote: Sat Apr 03, 2021 12:11 pm I'm using a military type (like dog tags) ball chain neckless - just wear it at all times. I certainly don't carry my car keys all the time - too bulky and inconvenient.
Where do I buy one on Amazon?
I ordered a titanium one for about 18.00 - check amazon 2.4 mm 30 inches (this is the standard military length)
Thanks - ordered one but not sure I will use it as I have 8 Yubikeys. I must give up on Authy! Can't get it to work. I tried all day.

Thanks for your help.

Lynette
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

Lynette wrote: Sat Apr 03, 2021 6:07 pm
rebellovw wrote: Sat Apr 03, 2021 1:39 pm
Lynette wrote: Sat Apr 03, 2021 12:54 pm
rebellovw wrote: Sat Apr 03, 2021 12:11 pm I'm using a military type (like dog tags) ball chain neckless - just wear it at all times. I certainly don't carry my car keys all the time - too bulky and inconvenient.
Where do I buy one on Amazon?
I ordered a titanium one for about 18.00 - check amazon 2.4 mm 30 inches (this is the standard military length)
Thanks - ordered one but not sure I will use it as I have 8 Yubikeys. I must give up on Authy! Can't get it to work. I tried all day.

Thanks for your help.

Lynette
Like many things - I found Authy only worked for a few things - so I deleted it as it was a waste of time. Also I only need one key for everything. Not sure why you would need more than one key.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

rebellovw wrote: Sat Apr 03, 2021 6:09 pm Also I only need one key for everything. Not sure why you would need more than one key.
Lol, I only need one key but I was terrified of being locked out of my accounts as I started on this journey of upgrading my security in a panic when I got the scammer's demand for $6.000. If I had done it slowly and deliberately over years (as I should have), I would have been more confident of my ability to recover. Live and learn on how important online security is!

Thanks for your assistance.

Lynette
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

rebellovw wrote: Sat Apr 03, 2021 6:09 pm Like many things - I found Authy only worked for a few things - so I deleted it as it was a waste of time.
I discovered that the reason I could not download any apps from the Play Store on my phone was that I used the google account that I had enrolled in Google's Advanced Protection Plan. I do not know if this only applies to me as I had problems with it and had to verify it several times. I was not able to download apps on another phone with the same account in APP. It seems APP offers a lot of protection.

I created another google account for unimportant websites and used it on the other phone. I was able to download apps on it. I definitely waste too much time on "experimenting" but I am too stubborn and waste too much time on finding out why things don't work!
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

Lynette wrote: Sun Apr 04, 2021 12:05 pm I discovered that the reason I could not download any apps from the Play Store on my phone was that I used the google account that I had enrolled in Google's Advanced Protection Plan.
I don't think that is the reason because I am enrolled in the Advanced Protection Program and I use that google account on my Android phone and I am able to download apps from the Play store on my phone.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

mptfan wrote: Sun Apr 04, 2021 4:37 pm
Lynette wrote: Sun Apr 04, 2021 12:05 pm I discovered that the reason I could not download any apps from the Play Store on my phone was that I used the google account that I had enrolled in Google's Advanced Protection Plan.
I don't think that is the reason because I am enrolled in the Advanced Protection Program and I use that google account on my Android phone and I am able to download apps from the Play store on my phone.
This is what I found in a website:

https://www.androidpolice.com/2020/03/1 ... matically/

Play Protect is Android's built-in malware protection, but it's not switched on by default for all users and can be disabled in settings. If your device is registered with Advanced Protection, Play Protect will now be turned on automatically and will be required to remain on. Since it scans 100 billion apps each day and uses machine learning to verify their safety, it's a no-brainer that this should be a feature of Advanced Protection.

The other big new change is that the installation of apps from sources other than the Play Store will now be severely limited on Advanced Protection devices. There are exceptions to this, however, such as app stores pre-installed by manufacturers that are deemed safe sources and anything installed via adb (Android Debug Bridge). It's also worth pointing out that apps you may have already installed won't be retrospectively assessed and removed.


I think that I can use apps such as Authy in the Play Store but not download them.

I also found this reference.

https://support.google.com/googleplay/a ... 2853?hl=en

Maybe one can turn off Play Protect but keep on the requirement to scan. I was too scared to try. It took me too much courage and time to install the Advanced Protection Program. I do not want to disable and then enroll again as it logs me out of all of my too many computers!
ErRyTour
Posts: 25
Joined: Tue Apr 23, 2019 10:56 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by ErRyTour »

JohnFiscal wrote: Fri Apr 02, 2021 10:26 pm
I keep track of these in an Excel spreadsheet (for better or worse). There's a formatted table that lists each key, its "nickname"...sites often ask for one, not that it is meaningful to them, and a checkmark indicating accounts that have the particular key registered. This is so I don't get confused on what key is used for a particular account; I always have at least 2 keys registered.

Some of the sites I use the keys on include: Vanguard, Twitter, Facebook, Norton (Symantec), Global Entry (for me and for my wife), and others.
You can register all your Yubikeys with each website, you don't need to pick and choose a particular key for a particular service. More importantly, you can use the Yubikeys for multiple accounts on the same service (see https://developers.yubico.com/U2F/Proto ... ation.html). So, no need to track any key for any service or any account on that service.

For example, you have Vanguard, Twitter, Facebook, Norton, and Global Entry. Lets say your wife has Twitter, Facebook, Global Entry as well.

Use your four keys to register on all your services with your accounts. Use your four keys to register on all your wife's services with her accounts.

Now, keep one key with you, your wife keeps one key with her, you keep one key stashed somewhere in the house, and you keep one key at the bank safe box, in case your house burns down. If you lose a key, go buy a replacement while you pull the "house" one into use.

If you sign up for a new service that accepts Yubikey, you'll need to get all four keys and register them on that new service.
ErRyTour
Posts: 25
Joined: Tue Apr 23, 2019 10:56 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by ErRyTour »

Lynette wrote: Sat Apr 03, 2021 1:29 pm I am using Microsoft Authenticator for Microsoft, Amazon and Adobe. I should have saved the bar codes during initial installation. They work very well while I am at home but if I lose my phone, I lose access to Microsoft, Adobe and Amazon. None of these are high value accounts as I don't have money with them and as they want my money for new products, there is probably some support or better documentation than Authy. Yubico Authenticator also gets bad reviews. Probably also inexperienced users like me.

I am also using Symantec VIP Access for Fidelity. It works like a charm and I only have 30 seconds to enter the number. But again I did not save the bar code. However, if I have problems, Fidelity support is great. In addition I can always march down to one of the two offices that are within three miles of my house.

In essence, these apps are working well but I am concerned about getting access to these accounts if my phone is lost or stolen or if I have to install them on a new phone. In time I will probably simply downgrade 2FA on them to sms. on Amazon, and Adobe. Yeah for my 8 Yubikeys and yeah for 1Passport that stressed again and again that I had to download and save the Barcodes.

Time for coffee and an ice cream cone and some exercise!
Don't downgrade to SMS. If you are concerned, just reset to use a new TOTP secret key, but this time, store the secret key. That is what I do - I do not bother generating recovery codes. Since I keep the secret key (I use the character string, not the bar code because the bar code typically embeds data like their domain name and your email address. I like my TOTP keys to be a mystery to other people), I can move to a new phone any time I want to. I can switch TOTP applications any time I want to. I can generate the TOTP numbers from my computer any time I want to.

Also, you can avoid using the Symantec VIP application and use your preferred TOTP application to handle the code generation for Fidelity too. Symantec VIP is basically TOTP with their own sauce to make the keys look different.
ErRyTour
Posts: 25
Joined: Tue Apr 23, 2019 10:56 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by ErRyTour »

Lynette wrote: Sun Apr 04, 2021 5:59 am
rebellovw wrote: Sat Apr 03, 2021 6:09 pm Also I only need one key for everything. Not sure why you would need more than one key.
Lol, I only need one key but I was terrified of being locked out of my accounts as I started on this journey of upgrading my security in a panic when I got the scammer's demand for $6.000. If I had done it slowly and deliberately over years (as I should have), I would have been more confident of my ability to recover. Live and learn on how important online security is!

Thanks for your assistance.

Lynette
No, you need more than one key - you should have at least two.

Consider the scenario where you lose the key, or it got fried - you would still have access to your accounts by using the backup.

For an individual, I think you should have a minimum of three keys - one on your person, one at home, and one off-site.

For your eight keys, you could send some to your brothers/sisters as off-site backups.
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

Lynnette, you are again misinterpreting what you quoted and you are apparantly misunderstanding what play protect does. Play protect does NOT prevent you from downloading apps from the play store...

Google Play Protect helps you keep your device safe and secure.

It runs a safety check on apps from the Google Play Store before you download them.
It checks your device for potentially harmful apps from other sources. These harmful apps are sometimes called malware.
It warns you about any detected potentially harmful apps found, and removes known harmful apps from your device.
It warns you about detected apps that violate our Unwanted Software Policy by hiding or misrepresenting important information.
It sends you privacy alerts about apps that can get user permissions to access your personal information, violating our Developer Policy.

https://support.google.com/googleplay/a ... 2853?hl=en

Notice the first line...it runs a safety check on apps from the play store before you download them...so obviously you can download apps while using play protect. Again, I have APP and play protect on my google account and I download apps from the play store so I can attest to the fact that you can download apps while enrolled in APP.
Last edited by mptfan on Mon Apr 05, 2021 9:24 am, edited 4 times in total.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

mptfan wrote: Mon Apr 05, 2021 7:35 am Lynnette, you are again misinterpreting what you quoted and you are apparantly misunderstanding what play protect does. Play protect does *not* prevent you from downloading apps from the play store.

Google Play Protect helps you keep your device safe and secure.

It runs a safety check on apps from the Google Play Store before you download them.
It checks your device for potentially harmful apps from other sources. These harmful apps are sometimes called malware.
It warns you about any detected potentially harmful apps found, and removes known harmful apps from your device.
It warns you about detected apps that violate our Unwanted Software Policy by hiding or misrepresenting important information.
It sends you privacy alerts about apps that can get user permissions to access your personal information, violating our Developer Policy.

https://support.google.com/googleplay/a ... 2853?hl=en

Notice the first line...it runs a safety check on apps from the play store before you download them...so obviously you can download apps while using play protect. Again, I have APP on my google account and I download apps from the play store.
Thanks. Then it seems that there is something wrong with my settings - somewhere. One day I will try again. I did something wrong somewhere on that account. I had the same issue when I signed in with it on another phone with that account. One day when I am really bored, I may investigate further. I have already spent about two days on it so I will live with it as it is!

Thanks,

Lynette
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

ErRyTour wrote: Mon Apr 05, 2021 12:10 am
Don't downgrade to SMS. If you are concerned, just reset to use a new TOTP secret key, but this time, store the secret key. That is what I do - I do not bother generating recovery codes. Since I keep the secret key (I use the character string, not the bar code because the bar code typically embeds data like their domain name and your email address. I like my TOTP keys to be a mystery to other people), I can move to a new phone any time I want to. I can switch TOTP applications any time I want to. I can generate the TOTP numbers from my computer any time I want to.

Also, you can avoid using the Symantec VIP application and use your preferred TOTP application to handle the code generation for Fidelity too. Symantec VIP is basically TOTP with their own sauce to make the keys look different.
Thanks - Sounds great. I need to figure out how to do this without locking myself out of my accounts. Some time I will get around to doing some more experimenting on my all too numerous computers and phones.

Thanks,

Lynette
Last edited by Lynette on Mon Apr 05, 2021 10:58 am, edited 1 time in total.
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

rebellovw wrote: Sat Apr 03, 2021 6:09 pmAlso I only need one key for everything. Not sure why you would need more than one key.
I think you need at least two security keys to enroll in the Google Advanced Protection Program. Even if you could enroll with only one key I do not think that would be wise.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

mptfan wrote: Mon Apr 05, 2021 9:26 am
rebellovw wrote: Sat Apr 03, 2021 6:09 pmAlso I only need one key for everything. Not sure why you would need more than one key.
I think you need at least two security keys to enroll in the Google Advanced Protection Program. Even if you could enroll with only one key I do not think that would be wise.
Yes definitely. I'm talking about wearing a key around your neck - you only need the one.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

ErRyTour wrote: Mon Apr 05, 2021 12:16 am
Lynette wrote: Sun Apr 04, 2021 5:59 am
rebellovw wrote: Sat Apr 03, 2021 6:09 pm Also I only need one key for everything. Not sure why you would need more than one key.
Lol, I only need one key but I was terrified of being locked out of my accounts as I started on this journey of upgrading my security in a panic when I got the scammer's demand for $6.000. If I had done it slowly and deliberately over years (as I should have), I would have been more confident of my ability to recover. Live and learn on how important online security is!

Thanks for your assistance.

Lynette
No, you need more than one key - you should have at least two.

Consider the scenario where you lose the key, or it got fried - you would still have access to your accounts by using the backup.

For an individual, I think you should have a minimum of three keys - one on your person, one at home, and one off-site.

For your eight keys, you could send some to your brothers/sisters as off-site backups.
You only need to keep one key with you - you don't need to wear two or more keys. But that is a good point regarding the 3rd key offsite - or perhaps I'll get a 3rd key to hide in one of the cars.
Last edited by rebellovw on Mon Apr 05, 2021 11:22 am, edited 1 time in total.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

mptfan wrote: Mon Apr 05, 2021 7:35 am Lynnette, you are again misinterpreting what you quoted and you are apparantly misunderstanding what play protect does. Play protect does NOT prevent you from downloading apps from the play store...
What an idiot I have been!!! :oops: :oops:

I do not use my phone much - only for emergency calls when I am out and for my phone's great cameras that rival my other fancy cameras. Play Store was actually downloading the apps but I did not know where to look for them. From the Home Screen I usually scroll up to see the Apps. I needed to scroll right to see all of the additional apps!

Thanks for your help!

Lynette
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

Again, a great thanks to everyone for their assistance. I got a report from Chase Credit Journey that my email address was exposed - probably phishing. The email address was correct at that point in time in August 20. Now I have to use my Yubikey when I sign into a new device. There was a data breach on an unimportant website I used. I now have a new email account for unimportant accounts into where I sign up. There was another data breach that was not reported. I got an email from the company. This is where they got my credit card number.

I feel so much more secure as I am enrolled in the Advanced Protection Program. I am thankful to the Google Security Team. I also feel more secure using 1Passport. I think it is an outstanding password manager.

Thanks again!

Lynette
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

ErRyTour wrote: Sun Apr 04, 2021 11:54 pm
JohnFiscal wrote: Fri Apr 02, 2021 10:26 pm
I keep track of these in an Excel spreadsheet (for better or worse). There's a formatted table that lists each key, its "nickname"...sites often ask for one, not that it is meaningful to them, and a checkmark indicating accounts that have the particular key registered. This is so I don't get confused on what key is used for a particular account; I always have at least 2 keys registered.

Some of the sites I use the keys on include: Vanguard, Twitter, Facebook, Norton (Symantec), Global Entry (for me and for my wife), and others.
You can register all your Yubikeys with each website, you don't need to pick and choose a particular key for a particular service. More importantly, you can use the Yubikeys for multiple accounts on the same service (see https://developers.yubico.com/U2F/Proto ... ation.html). So, no need to track any key for any service or any account on that service.

For example, you have Vanguard, Twitter, Facebook, Norton, and Global Entry. Lets say your wife has Twitter, Facebook, Global Entry as well.

Use your four keys to register on all your services with your accounts. Use your four keys to register on all your wife's services with her accounts.

Now, keep one key with you, your wife keeps one key with her, you keep one key stashed somewhere in the house, and you keep one key at the bank safe box, in case your house burns down. If you lose a key, go buy a replacement while you pull the "house" one into use.

If you sign up for a new service that accepts Yubikey, you'll need to get all four keys and register them on that new service.
Maybe things have changed, but I have registered hardware keys for some sites that restricted the number of keys.

I do have all four keys registered at the sites that I use most often, and that take that many keys. Some sites I haven't updated as I don't access them very often (once a year, if that).

Edit to add: as I remembered, Twitter only provided for a single security key (presumably to be used with alternative 2FA for backup). Hence my "table" to indicate which key(s) were used where. It only came about in the past few days that Twitter provides more than the one hardware key.
https://www.theverge.com/2021/3/15/2233 ... or-privacy
"Twitter also said Monday it will allow multiple security keys on a single account; until today, it only allowed one key per account,"
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

Just throwing this out there as a "public service announcement". I am not a security key expert. But here is an important tip to new key users.

Some sites may prompt you for the PIN for the key, some don't. Yubikey Series 5 keys don't have a default PIN (https://support.yubico.com/hc/en-us/art ... cal-Manual). The number of characters for the PIN in Series 5 is 4 to 128 characters (see that manual I linked to).

What happens is that the first time you type in "some" PIN it gets written to the key memory and that becomes the key's PIN, any other site that asks for the key PIN must have the same PIN entered. You'll be prompted for the PIN when registering the key and then on subsequent log-ins; but only if that site uses protocols that require the PIN.

What really happens is that if you're not aware of this (as I was not, so this happened to me) you type in some value and, without realizing it, you've marked that key "forever". So, be sure to think about this ahead of time and decide what PIN you want to use. I have seen a number of posts in Reddit, etc, from people who don't remember entering a PIN, having totally forgotten about it, until at some later time they need it, but don't remember it. You can use the Yubi Key Manager software to change the PIN (and this may have further effects as well), but then the key will have to be re-registered with all pertinent sites...better have another option to log into that site so that you can re-register that key.

Yes, I did the same thing, entered PINs when registering for some site and then entirely forgetting, until last night. I actually thought that the PIN was rather like the memorable "name" that some sites give you the option of entering, these names can vary with each site, they're not written to the key (as far as I know, and this seems to be the case). Fortunately I had used PIN values that I could deduce what they might be (not all the same) so I could recover them.

Not all sites require the key PIN on log-in. Vanguard does not (for me), but Facebook does. Using the same keys.

For example, today I checked my Vanguard log-in. All 4 of my Yubi keys are registered (Series 4 Nano, Series 4 blue Security Key, Series 5 USB with NFC, and Series 5 blue Security Key with NFC ...IMO the cheaper blue Security Keys are adequate for most people, including me). I was not prompted for a PIN with any of those keys. Then I checked my login.gov account. Again, all four keys are registered but at this site they all prompted for a PIN (except the Series 4 Nano does not). Same thing with Facebook, all four keys are registered at the site but they all prompted for a PIN (except the Series 4 Nano does not). So, 3 sites, 4 keys, Vanguard doesn't prompt me for a PIN, the other sites do. I plan to do further review of this but didn't have time before now and I figured I would post now to get it out there.

Presumably this has to do with the evolution of the various protocols: FIDO and FIDO2, and U2F.


Edit to add: It's a bit of an annoyance. You log in, get prompted to tap your key, you tap the key, get prompted to enter the key PIN, then you get prompted a second time to tap the key, you do so and then you're in. I am so used to tapping my Nano key once and I'm in to Vanguard right away, no typing.
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

I was not aware that some sites require you to enter a pin to register a security key, that has not happened to me yet. Maybe that is a new thing, part of the evolution of the security protocols? I don't know, but thanks for the heads up. It does sound like a pain in the posterior, but it does make the account even more secure than using a security key without a pin (is that possible?) because if someone stole your security key they would not know your pin.
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

mptfan wrote: Thu Apr 08, 2021 12:57 pm I was not aware that some sites require you to enter a pin to register a security key, that has not happened to me yet. Maybe that is a new thing, part of the evolution of the security protocols? I don't know, but thanks for the heads up. It does sound like a pain in the posterior, but it does make the account even more secure than using a security key without a pin (is that possible?) because if someone stole your security key they would not know your pin.
Agree that it is more secure to use the PIN.

I need to try this on my Google accounts...log out, then log back in with the key and see if I am prompted. I don't recall ever being prompted for a PIN but I want to test this. ...

Okay, I just tested, logged out of one Google account, uses hardware keys but not APP. I was not prompted for a PIN. I find this odd and confusing. I'll have to try with the APP account.

I wish that Google did not default to the "yes, I wanna remember this computer" setting on log-in. It is easy to miss that little option and not realize it's been checked. Some sites default the other way, "don't remember", so that you're forced to use the 2FA each log-in...I prefer this for some accounts. As I recall, even the APP acts the same way, defaults to "remember".
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

Yahoo is the only account that I have that requires a pin - all others - just touching the key works.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

I noticed that there was an option on the Microsoft account to enter Security Keys. I was required to enter a pin when I registered the keys. However, when I logged back into my Microsoft Account, it did not give me the option of using a Security Key.

I think that the Security Keys have something to do with Microsoft Hello. It seems that you can possibly set it up be used on your individual PC. It mentioned something about using it instead of your Username and Password. I gather that this is likely for business and schools. When I log into my Windows 10 PC's I do not have to sign onto Microsoft. I only enter the PC name I set up. My newest Windows PC uses Iris recognition. I look at it and it opens! Cool. It works much better than face recognition on my Samsung Galaxy Note 20 Ultra. But one can there is still the backup of using the computer name so I do not think that this makes it more secure.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

On the issue of Authenticators, I really like the Microsoft Authenticator. I use it for Amazon and Fidelity. I was thinking of using Authy so that I could also use it on my Chromebook and Windows PCs. But I notice that Google is no longer going to support Authy on Chrome. So I decided to stick with Microsoft's Authenticator. There is a process whereby one can recover the information on a new phone. My data on my Samsung phone is backed up by both the Samsung Cloud and Google Drive. So I imagine that I would be able to recover the data if my phone was lost of stolen.
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Thu Apr 08, 2021 2:06 pm Okay, I just tested, logged out of one Google account, uses hardware keys but not APP. I was not prompted for a PIN. I find this odd and confusing. I'll have to try with the APP account.
I registered a security key with my APP account within the last month and I was not asked for a PIN.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

mptfan wrote: Thu Apr 08, 2021 9:00 pm
JohnFiscal wrote: Thu Apr 08, 2021 2:06 pm Okay, I just tested, logged out of one Google account, uses hardware keys but not APP. I was not prompted for a PIN. I find this odd and confusing. I'll have to try with the APP account.
I registered a security key with my APP account within the last month and I was not asked for a PIN.
I registered 8 keys on 4 accounts in APP and was not asked for a pin within the past week. Of the accounts I use, only Microsoft asked for a pin
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

I am going to throw out two other tangential issues for consideration under this same umbrella of security for Google accounts.

a - I had set up a new Google account using my Google Pixel phone and elected the GAP (or APP. or GAPP). All good. I later logged out of that account on the phone. To my surprise I saw that existing emails for this account remained on the phone. All the information (email) was there, for anyone to read if they somehow had access to the phone. The only difference was that new emails could not be sent or received with that account. The existing emails for the account were only removed from the phone when I removed the account from the phone setup. This works a bit differently from my accessing Google accounts on my Windows pc; I can, and do, log out of some gmail accounts but once logged out I can't view any account emails.

So if someone has set up a GAP account on their Android phone they should be aware of this aspect. I don't know if other smart phone OSs function the same way. This was a surprise to me.

b - The Chrome browser optionally allows us to log into our Google account to gain access to a host of features and synching. I can log into Chrome with one Google account but I can also log into other gmail accounts while I am logged into Chrome as "JohnFiscal".

But what I wanted to comment on is that if I am logged into Chrome as "A" and I check gmail for "B", then log out of "B" on that browser. I can still be logged into gmail for "B" when I am on the other instance (window) of the Chrome browser logged in as "B". So logging out in one log-in does not affect other log-ins (and this makes sense.
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Fri Apr 09, 2021 10:35 am a - I had set up a new Google account using my Google Pixel phone and elected the GAP (or APP. or GAPP). All good. I later logged out of that account on the phone. To my surprise I saw that existing emails for this account remained on the phone. All the information (email) was there, for anyone to read if they somehow had access to the phone. The only difference was that new emails could not be sent or received with that account. The existing emails for the account were only removed from the phone when I removed the account from the phone setup.
You said you "logged out" of that account, but later you said you "removed the account from the phone setup." Can you describe how you logged out and how that is different than removing the account from the phone. You can go to settings, accounts, and select the google account you want to remove and remove that account from your phone, is that what you mean by removing the account from your phone? If that is correct, then I'm curious what you did differently to log out?
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

mptfan wrote: Fri Apr 09, 2021 10:41 am
JohnFiscal wrote: Fri Apr 09, 2021 10:35 am a - I had set up a new Google account using my Google Pixel phone and elected the GAP (or APP. or GAPP). All good. I later logged out of that account on the phone. To my surprise I saw that existing emails for this account remained on the phone. All the information (email) was there, for anyone to read if they somehow had access to the phone. The only difference was that new emails could not be sent or received with that account. The existing emails for the account were only removed from the phone when I removed the account from the phone setup.
You said you "logged out" of that account, but later you said you "removed the account from the phone setup." Can you describe how you logged out and how that is different than removing the account from the phone. You can go to settings, accounts, and select the google account you want to remove and remove that account from your phone, is that what you mean by removing the account from your phone? If that is correct, then I'm curious what you did differently to log out?
I stepped through this again. I logged into account "B" (the GAP account) on my Android phone; I was also logged in on my Windows 10 laptop. I accessed the account security settings for "B" on the laptop, there was I able to "kick me off" the Android phone. In this case email for "B" remained accessible on the native email app (I can toggle between accounts "A", "B", and "C"). I could not send mail (they remained queued up) or receive new mail. But all existing mail was accessible. To me this is a bit of a security risk. But it's easily avoidable...just log off on the phone directly, don't use the settings screen on another device to do so.

The thing with "logging out" is tricky. On Windows in a Chrome browser you have to log out of all accounts, you can't log out of an individual account. Sort of tedious, but can be worked around with the Chrome log-in I mentioned before. But on the Android phone you can "log out" of individual accounts; but you're not really logged out, you have to use the Android settings to "Remove Account", which entirely removes the account and its data (old emails).

My suggestion with this is to be very aware of what devices you are logged into, determine if any device presents a security risk to an account. I myself want to be very aware of these issues so that I don't accidentally "spill the beans". (not that I really have any beans to hide. other than money account access.)
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Fri Apr 09, 2021 1:52 pmBut on the Android phone you can "log out" of individual accounts; but you're not really logged out, you have to use the Android settings to "Remove Account", which entirely removes the account and its data (old emails).
I still don't understand what you are saying here, how do you log out of individual accounts on the Android phone? If you logged out of account B on another device you did not "log out on the Android phone." The only way to "log out" of an account and remove its data from an Android phone is to do it on the Android phone.
Post Reply