This week, I’m following up on a message from a reader who previously wrote in about how not to get locked out of your accounts when you’re using two-factor authentication, or 2FA. Jeremy from Capetown has also written in to ask if it’s possible to use 2FA to keep Google out of Gmail. His letter has been edited for brevity.
What Is Two-Factor Authentication?
To review: two-factor authentication is when you use two authentication factors from a list of a possible three: Something you know, something you have, or something you are. A password, for example, is something you know and a fingerprint is something you are. When you use the two together, you’re using 2FA.
In practical terms, 2FA involves an extra step you take after entering your password to absolutely prove you are who you say you are. This often involves using a one-time code generated from an app or sent via SMS, but there are many other options, including tap-to-login apps like Duo or hardware security keys like those from Yubico and other manufacturers.
2FA is good. You should use it. It’s a great way to keep the bad guys out of your accounts, but it doesn’t appear that it will do much to keep out Google.
Who Sees What?
In general, Google does appear to have access to the content of your emails. Christopher Cuong Nguyen, who lists himself as a former Google employee, wrote on Quora in 2010 that a very small number of employees can access email content, and that a highly regulated path exists for information to be retrieved. Now, this information is almost a decade old at this point, but it does demonstrate that yes, at one point there were people who could reach into your Gmail account.
As a law-abiding company, Google says that it is required to comply with legal requests for information from governments and law enforcement. This can include the contents of your email messages, although Google points out that it strives to narrow the scope of requests it receives and requires a search warrant before handing over your photos, documents, email messages and more.
There are other ways Google uses your Gmail information. While the company no longer scans messages to generate custom ad content, it famously did for years. Even now, Gmail parses your messages enough to pull out and highlight travel information, and generate type-ahead suggestions when you write messages. Depending on your level of comfort, this might be totally fine or wildly invasive.
Google does appear to encrypt your emails, but primarily while those messages are in transit. Even if those messages are encrypted while at rest on Google’s servers, if Google is managing the encryption keys—and what I have seen implies it does—Google could still conceivably access your messages.
2FA Isn’t the Answer
I can see where Jeremy is coming from with his question. Since I control my Yubikey, and Google doesn’t, if I enable 2FA, Google shouldn’t be able to access my Gmail account. Google can, however, effect changes to accounts that are secured with 2FA.
Firing up one of my non-work Gmail accounts, I clicked the Forgot My Password option. It immediately jumped alternate options for sign-in: sending a text to my phone, using my Yubikey, tapping an alert on a verified phone, sending an email to my recovery email address, answering a security question, entering the date I created my Gmail account, and then finally leaving an email address where I could be reached by Google to address my problem directly. If Google can grant me access to my own account without necessarily having my password or second factor, that implies that Google can do that itself.
Even Google’s Advanced Protection Program for Gmail has a kind of recovery option. When enabled, Advanced Protection requires that you enroll two different hardware security keys—one for login and another as a backup. If you lose both keys, Google says this about regaining control of your Advanced Protection Program account:
On balance, it seems like 2FA—even the extreme version of it used in Advanced Protection—is not enough to keep Google itself out of your email. For most people, that’s probably a good thing. Email accounts are an incredibly important part of an individual’s security infrastructure. If you lose a password or have to change a password, an email sent to a verified account is usually part of the process. If an attacker gains access to your email account, they could go on to use the account recovery option on websites to gain access to even more accounts. It’s important that users have a means to regain control of their accounts.
Truly Private Messages
When we talk about what can and cannot be seen in messaging systems, we’re talking about encryption, not authentication. Most services use encryption at different points in the process of sending and storing a message. Gmail, for example, uses TLS when sending a message to ensure it’s not intercepted. When a messaging service of any kind retains the keys used to encrypt your messages when they’re resting on the server, it’s a safe assumption that the company can access those messages themselves.
If you want to keep your Gmail account, but want to make your messages unreadable, you could encrypt those messages yourself. There are numerous encryption plug-ins for Chrome, or you can configure Thunderbird to encrypt your messages with PGP, a commonly used encryption scheme for email. The more expensive Yubico models can also be configured to spit out your PGP key, when needed. I am just going to be honest and say that while I am sure some of these work, I have never been able to understand them adequately. The creator of PGP famously said that even he finds the process too convoluted to understand.
What might be easier is using encryption tools to encrypt messages, and then attach or paste the encrypted output into Gmail. You’d have to coordinate the decryption process on the other end, but the content of the email would not be readable to Google, or anyone else for that matter. Keypass.io is another service that can encrypt, decrypt, or sign text that can be used in an email.
If you absolutely must be sure that no one but you has access to your email, there are a few options. First and foremost would be to ditch Gmail. ProtonMail, from the creators of ProtonVPN, is a service intended to respect your privacy, and does so by encrypting all your email messages—including those you send and receive from people using other email providers. Here’s how ProtonMail describes its operation:
Another option is to look beyond email. The late 2010s brought about a glut of over-the-top messaging services, which use your data connection instead of your SMS plan to send messages between devices. In recent years, many of those services have adopted end-to-end encryption, meaning that only you and your intended recipient, can read your messages. Signal is the best known, and an excellent app in its own right. WhatsApp adopted the Signal protocol, and now encrypts its messages end to end. Facebook Messenger, somewhat ironically, also uses the Signal protocol for its Secret Messages mode.
Apple’s Messages platform might is probably best known for its stickers and animoji karaoke, but it’s also a remarkably secure messaging system. It’s also notable because unlike other messaging services, you can send and receive messages on either your phone or your computer without granting Apple access to the content of your messages.
When it comes to using Gmail, I recommend people listen to their guts. If you’re deeply worried about your messages being read by humans or bots, try an alternative. If Gmail is really convenient for you, and you like the features it offers, stick with it. Trying to bend Gmail toward being totally secure is definitely possible, but there are so many easier alternatives. Lastly, 2FA is a great solution for keeping the bad guys out of your accounts, and that’s about it. I wouldn’t rely on it to lock out the owner of a service.