Today, I wanted to sign in to one of my old Google accounts. And like all my Google accounts, this one also uses Google’s Advanced Protection Program.
If you don’t know, Google’s Advanced Protection Program is a thing you can enable for your Google account which enforces the use of 2FA (second factor authentication) using hardware security keys, such as the popular YubiKey or Google’s own Titan Security Key. Furthermore, it disables signing in from untrusted software or “apps”. The idea behind this, is to make it impossible (or really hard at least) to have your account phished.
This program is meant for people at high risk of cyberattacks, like celebrities, politicians, journalists, CEOs or any other public or important high-profile figure.
But anyone can enroll in this protection program, and being the security focused person I am, I, of course, enrolled in this program.
So, as I was saying, I wanted to sign in to a particular Google account today. I entered my password, and since I had signed in to this account on this machine in the past, I was not asked to use my security key.
I wanted to manage some account settings, hit save, and got an error popup that it could not save my settings. I refreshed the page and suddenly, it said I was signed out for security reasons. So far, so good. I was asked to enter my password, I was asked to use my security key to prove that I really am who I say I am, odd but everything seems normal until this point, since I haven’t signed in for a while I thought that’s just a safety check.
So, I entered my password, used my security key, and then it asked for a 6-digit code it sent by email. Now this is odd. Yet another verification? But I was on the google dot com domain, it did send the code to another (recovery) email that an attacker would not know, and I did not enter at this time, so it seems legit, so I complied and entered the 6-digit code I received.
Suddenly, it asked me to enter a new password due to suspicious activity. Now it’s getting really odd. But I figured I’ll comply, and set a new password (I use a password manager, so I generated a long, random, unique password), not much harm in providing a random string of characters, even if this was phishing…
So, I set the new password, and Google said “success” in “recovering” my account… so they disabled the advanced protection program, removed all my security keys and disabled 2FA… at this point my alarm bells go off. Why the heck, would Google do this?
“Just to be safe”, no Google, disabling 2FA is the opposite of being safe. Especially if advanced protection was enabled.
I also received an email with “critical security alert”: “Someone might have accessed your Google Account using a suspicious app installed on one of your devices. You have been signed out on that device. Before signing in again, remove unsafe apps from that device and change your password.”
The thing is, I’m not using this account on any mobile device, and I only signed in to this account from this Windows machine (yes, I know, Windows… spare me for now) so Google can’t possibly know what I have installed, since I just use my browser and no “apps” (which shouldn’t even be possible with advanced protection anyway).
So, of course, I had to dig into this to find out what’s wrong:
I clicked to check activity and just got this page:
Again, Google can’t possibly know what I have installed. But I thought: What if I somehow got malware, and that malware did some key logging or session stealing? That’s something they could possibly detect (by having the same session used from another location, or signing in from an unusual location).
So, of course, I ran a quick scan with Windows defender, which found nothing. I clicked through the Google help pages, which just told me to use some antivirus software and Google Chrome… which is questionable advice.
“Use Google Chrome”, so far, this is the most suspicious thing here.
The thing is, normally I use Firefox, but I also have Chrome installed (not signed in to Google though) for those websites that refuse to work with anything else. And Google Chrome actually has a built-in scanner, which I figured I could use since it would probably find whatever it is that upsets Google, so I did that:
Of course, nothing found…
And I doubt it would, since I don’t install pirated or untrusted software, … but backdoors and exploits are a thing, and so are silent installs, and it’s possible for malware to hide itself.
…so to be extra safe, I ran an offline scan (basically that means without the OS running):
Which did in the end find nothing either…
So, at this point, I’m starting to doubt there’s any malware on my machine. I just checked to be safe. My systems are always up-to-date, and updating is the first thing I do when I haven’t used a device for a while.
So, I decided to continue my hunt for clues in the Google Account settings…
Well, let’s click on details…
Very unhelpful. I’d like some real details.
I went through the security log:
The time sounds like the time I was changing account settings, which Google might have thought to be suspicious.
Then 2FA was turned off, which seems to be part of the reset process (which makes no sense, Google!) so there’s nothing alarming about this. After I had gone through the reset process, I of course re-added my security keys, and enabled advanced protection… Clicking on “Check activity” just returns the unhelpful popup saying suspicious app detected. 🤦🏻♀️
The only scary thing is that the removal of advanced protection is listed as “unknown device”, but I attribute that to being the default for “Google’s internal processes doing this for me” (since that’s what happened during the seemingly random reset).
With hindsight, since I was messing with account settings, this might have been seen as an automated task, since most users probably don’t re-visit settings after some time of inactivity, and the suspicious app might have been “Firefox”. Considering how I was recommended to use Google Chrome at several places, it might just be an elaborate scheme to scare users to use Google Chrome, who knows.
But the bigger point is this: If I really had some malware that’s doing keylogging, or stealing sessions, or whatever, Google’s idea of “let’s turn off 2FA as part of the password reset” would have made it an easy game for an attacker. And considering I enabled advanced protection specifically for this to not happen, it feels like a joke.
In the Google account settings, there is no other device than this one here signed in, and there was no other device in the history (last 28 days) either, and my device seems to be clean. 🤷🏻♀️
So, as far as I can tell, this must be a false alarm, but the point remains: Randomly disabling 2FA as part of a security check is terrible.
I also would have preferred some real details. The Google UI is an unhelpful hell of clicking through things that bring up the same unhelpful thing, but at different places.
Share your thoughts in the comments.
Please note that, to keep things short, I did not include every possible screenshot and step, and instead opted for an overview of the situation.
tl;dr Google thought there was suspicious activity/malware (false alarm), asked me to reset password, also did reset 2FA for me without consent which is a terrible idea if this hadn’t been a false alarm, especially since I had advanced protection enabled (but it’s terrible either way).