Before You Start — What You'll Need
Two YubiKeys (strongly recommended). Google requires at least one to enroll, but if you lose your only key, account recovery is a painful, multi-day process. Keep one as a primary and one as a backup stored somewhere safe.
A modern browser like Chrome
Your Google account password handy
What’s a YubiKey? Where can I get one?
YubiKeys are small physical security keys made by a company called Yubico. They look like a small USB stick, and they work by proving you are you when you plug one in and tap it. No batteries, no apps, no codes to type - you just plug in and touch.
They're the strongest form of multi-factor authentication available. Unlike SMS codes, authenticator apps, or push notifications, a physical security key can stop even advanced phishing attacks - the kind where an attacker tricks you into entering your credentials on a convincing fake login page. The key verifies it's talking to the real site, so a fake page simply won't work.
You can buy them directly from yubico.com or from Amazon. Other brands of FIDO2-compatible security keys will also work.
New Harbor customers: go to app.newharbor.co/security-keys and we'll handle ordering and direct shipping to individuals on your team.
What Is Advanced Protection, in Plain English?
Advanced Protection requires you to use a passkey or a physical security key to verify your identity every time you sign in. Even if someone knows your username and password, they can't get in without the key. It also prevents non-Google apps from accessing your sensitive data like email or documents, and adds extra steps to verify your identity during account recovery.
The tradeoff: Advanced Protection only allows physical security keys or passkeys as the second factor. SMS codes, backup codes, phone prompts, and authenticator apps are all disabled. That's what makes it so strong, but it's also why having two keys matters so much.
Step 1 — Go to the Enrollment Page
Open Chrome and navigate to: landing.google.com/advancedprotection
Click "Get Started."
Step 2 — Sign In to Your Google Account
You'll be prompted to sign in if you aren't already. Enter your email and password as usual.
Step 3 — Google Walks You Through the Enrollment Flow
After signing in, Google will explain what Advanced Protection does and ask you to confirm you want to proceed. Read through it, then click "Get started" or "Next" to continue.
Step 4 — Register Your First YubiKey
This is the main step. Google will prompt you to register a security key.
Plug your YubiKey into a USB port on your computer (or hold it near your phone's NFC reader if you have an NFC-capable YubiKey and phone).
Click "Create a Passkey”
On the pop up, click “Use Another Device.”
Depending on whether you have any Passkey managers on your device (such as 1Password) and whether you’re on Windows or Mac, your browser will show a pop-up asking permission to use the key — click "Allow" or "OK."
Touch the gold circle/button on your YubiKey when it starts blinking. This is how it confirms you're physically present.
If you have not used this key before you will be asked to set a PIN. This PIN is unique to the key, and you may use the same PIN for both keys. It is important that you remember this PIN; if you forget it you risk being locked out.
Give the key a familiar nickname (eg “Home,” “Keychain,” etc) that will allow you to easily identify it; that way if you lose the key, you can remove it from Google. Type the name and save it.
Step 5 — Register Your Second (Backup) YubiKey
Google will then prompt you to register a second key. Don't skip this. Repeat the same process:
Remove the first key and plug in your second YubiKey.
Follow the steps above to register the key.
Give it a distinct nickname like "Backup.”
Step 6 — Confirm and Activate
After both keys are registered, Google will show a summary and ask you to confirm enrollment. Click "Enroll in Advanced Protection" (or similar — the button wording may vary slightly).
We recommend you add your recovery phone and email at this time, in case you do ever get locked out.
Step 7 — You're Enrolled ✅
Google will sign you out of all other sessions and devices. The next time you (or anyone else) tries to sign into your account, a YubiKey will be required.
After Enrollment — Key Things to Know
Signing in going forward: Each login from a new device will ask for your password, then prompt you to insert and tap your YubiKey; if you don’t have the key, you can’t get in.
Bring one key with you when you travel: You’re not going to be asked repeatedly to use your key on existing devices, but when you are asked you must use it to reauthenticate.
Adding more keys later: You can register additional YubiKeys anytime. Go to myaccount.google.com → Security → Advanced Protection → Manage security keys.
If you lose a key: If a key is lost, sign in with your remaining key, follow the steps to remove the lost key from your account, and then add a new one. Because of the added security, it can take up to 3–5 business days for Google to verify it's really you if you've lost all your keys. This is why the backup key is so important. Don't skip it.
These keys can protect your work and personal accounts: Double check with your organization, but we always recommend to our customers to let you keep the keys forever. So please add them to your personal accounts in addition to your work accounts; you can reuse the same key for many different accounts!
Passkeys as an alternative: Physical security keys are the strongest option, but Advanced Protection also supports passkeys stored on your device or in your password manager (like 1Password or iCloud Keychain). For individuals or organizations who face high risk, reach out to discuss the tradeoffs.
NOTE: Some New Harbor customers require their team to only use physical security keys; please check with your team about which approach you’re using.