Advanced Protection Program FAQ

Yes. You can use the Advanced Protection Program with accounts that federate from an IdP using SAML. When users with these accounts enroll in the Advanced Protection Program, we’ll require security key use after the user signs in on the IdP. Note that SAML users can select Remember the device to avoid challenges on a browser or device.

Two security keys are required for added assurance. If one key is lost or damaged, users can use the second key to regain account access.

The behavior is the same as for users who are not enrolled in the Advanced Protection Program. In general, users are remembered on the device or browser they use to sign in to Google Workspace, and 2SV challenges do not occur during future sign-ins on that same browser or device. Also, there’s an Admin control that can prevent users from using security keys.

You can use Bluetooth Low Energy (BLE) security keys to communicate with mobile devices and authenticate your Google account. During the sign-in process, you are prompted to download and use the Google SmartLock app from the Apple appstore. SmartLock is required to communicate with the BLE security key. 

More browsers, applications, and services are support web-based authentication and have native support for security keys. However, there are a number of use cases where security keys can't be used. These are legacy platforms like Internet Explorer, or legacy native mobile apps that use embedded WebViews. Also, if you're using Chrome Remote Desktop on a remote workstation, you might not be able to plug a security key into that remote USB port.

For these cases, we support security codes. Security codes are one-time use codes generated by users with a security key on a platform that supports them.

Security codes are optional for users in the Advanced Protection Program in the same place where enrollment itself is allowed. Note that using security keys directly is more secure than also using security codes, and we recommend that admins use caution when allowing users to use security codes.

By default, apps that require high-risk Gmail and Google Drive access are automatically blocked. Exceptions are all Google apps, Apple native iOS apps, and the Mozilla Thunderbird mail client.

Users can be tricked into giving high-risk access to apps. The Advanced Protection Program is intended to protect the highest risk users, so we want to control this app phishing threat.

Admins can approve the access of certain connected apps. The Admin initialized list of approved apps is honored and any app that is considered high-risk (see above) and not in the admin approved list is blocked.

Google first party apps, including GCDS and GSPS, are automatically allowed access without any admin action.

Advanced Protection Program users with appropriate licenses get enhanced pre-delivery scans and Security Sandbox enabled. Enhanced pre-delivery scans are available for all editions. Security Sandbox is only available to Enterprise edition users.