Google has warned me that: “We believe that attackers backed by certain states may be attempting to compromise your account or computer”. There’s a good chance this is because of the Stratfor hack, though it may also be for anti-pipeline/activism related reasons.
For a couple of years now, I have been using the two-factor authentication (2FA) option they offer, in which you need to enter your password as well as a rapidly-changing passcode from a smartphone app in order to access your account. I also keep a close eye on the access logs they provide under “Last account activity” and “Details” at the bottom of the GMail screen. Having 2FA turned on means someone with just your password cannot access your account. This is valuable for many reasons. If you recycle passwords between different accounts, a breach in one place might spread to another. Attackers may also use phishing (setting up a real-looking login page and tricking you into entering your login credentials) to steal a password.
Since the security of my Google account is so important, I bought two physical access tokens and joined their free Advanced Protection Program. Now to login I need my password and one of the keys. It also adds other security enhancements, like a more complex process for recovering an account which you have been locked out from. The keys aren’t Google-specific, so I may eventually be able to use them to authenticate myself to other important accounts as well.
Advanced Protection has already involved some headaches. I generally prefer Firefox because of its open source community and because it seems to have the most extensions for blocking ads, controlling which scripts run on websites, and protecting privacy. With Advanced Protection, I can now only use Google services through Chrome.
Even more of a hassle is that Google Calendar no longer works on the Apple-made Calendar app on my iPhone and iPad. I can’t even use the Google Calendar app because my iPhone is too old to run a version of iOS new enough to be supported. On my iPad, I installed the Smart Lock app which is meant to log me into the GMail, Google Calendar, and YouTube apps. Unfortunately, it produces only an endless loop. A login window comes up, I enter my username and password, I authenticate using the Bluetooth token and… it kicks me right back to entering my username. It’s a fairly old iPad and not running the newest iOS either, so perhaps that’s the problem.
Calendar sharing across devices including my phone is pretty essential for me, but I also want to do everything possible to protect my GMail account. For that reason, I have switched to Apple’s iCloud calendar-sharing system, which works on both my Macs, my iPhone, and my iPad. Maybe when my ancient iPhone 4 finally dies and I replace it with something that runs a modern version of iOS I will be able to get Smart Lock to work.