Brian Krebs has written a blog post about how Google has been using security keys to neutralize phishing of their employees. It stops the phishing quite well but comes at a high cost. No, not the hardware cost of a security dongle, it's the cost of losing third-party mail applications like Thunderbird and their add-ons like Enigmail.
I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or [others]. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.
(Score: 3, Informative) by darkfeline on Wednesday July 25 2018, @07:30PM (1 child)
But that's factually incorrect. You can generate app passwords for clients like Thunderbird, that don't require 2FA. A long random password is generated once which you can put in whatever client you want. There's no way to retrieve the password again afterward, and you can revoke it if it is lost/compromised. Under a domain account, the domain admin can disable that feature and strictly require 2FA only, but that is at the discretion of the domain admin; Google provides the feature.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:09PM
Another bonus of app passwords is that Google locks those out if it detects reuse but doesn't lock out your primary account access. You can just go in and change out the password.