Google Account Security
Your Google Account is the key to unlocking your devices and should be protected to ensure that there is no unauthorized access. A malicious user can not only unlock your ChromeOS device, but they can also gain access to your E-Mail, Google Drive and any saved passwords you have saved inside of Chrome. This section will cover best practices to secure your Google account from attackers.
Use Strong Passwords
Your password is the first line of defense to protect the sensitive information contained in your Google Account. Using a simple/easy to guess password is like leaving the keys to your house under your doormat. You should always use complicated passwords or ideally a passphrase to prevent unauthorized access to your account. Your Google account password serves double duty by also acting as the primary authentication device when accessing your ChromeOS Device.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication(MFA), also known as 2-Factor Authentication(2FA), is a concept that greatly increases the overall security by employing the paradigm of something you have and something you know. Your password is the "Something You Know" and the second factor is the "Something you Have". The theory behind MFA/2FA is that only the person who owns the account will ever have access to the device that can generate the second form of authentication. There are several forms of Multi-Factor Authentication options.
Google supports various forms of "Multi-Factor Authentication" (MFA)/"2-Factor Authentication" (2FA) across its services. Multi-Factor authentication substantially decreases the ability for a attacker to access or take over your account. With Multi Factor enabled, you will need to supply either a "One Time Pin" (OTP), "Time-Based One Time Pin" or a hardware security token in addition to your username/password to prove that you are who you claim to be.
If you have an enterprise managed device or a company issued account, your system administrator likely requires MFA/2FA.
This section will describe some of the forms of MFA/2FA that Google Supports
Biometrics
Biometrics can be set up on some Chromebooks that have built in fingerprint readers to allow you to quickly access your device with a simple touch. With Google Smart Lock, you can use a supported Android phone with a fingerprint reader to also unlock your device when in proximity. Biometric security is only meant to be an endpoint security tool used with other factors on this list. Biometric security will prevent a malicious user from accessing your device but it will not prevent a attacker from logging into your Google Account if they know your password.
SMS Based One Time Pin
SMS-Based One Time Pins are often considered the least secure option by industry professionals, but still offer increased protection over not having any form of 2-Factor Authentication setup on your account. With SMS-Based One Time Passwords, you will get a text message sent to your mobile number on file with Google with a 8 digit pin code that must be entered after entering your password. These One Time Pins must typically be entered within a few minutes of being generated.
In this case, your password is the "Something You Know" and the SIM card in your mobile phone is the "Something You Have".
Mobile Phone Push Notifications (Android/iOS)
Android Phones and iOS phones, with the Google application installed, can be used as a second factor authentication mechanism to protect your account. Once your account is set up to use a push notification, your phone will present you with a notification every time you attempt to authenticate into your Google Account from a new device. You will be given the approximate location of the sign-in attempt, and you will be given the option to approve or deny the login attempt.
OTP/TOTP
One Time Passwords/Time-Based One Time Passwords are numerical pins that are often between 6 and 8 digits long. These pins are generated via a mobile application that is generally installed on a phone or other device that you keep with you. In addition to your mobile phone, there are also a number of hardware devices available on the market that can be used. These pins can only be used once and are typically only usable for 30-60 seconds in which a new pin is generated. This mobile device or mobile phone application is set up with a "secret seed" provided by Google, which should only exist on a single device.
You can download one of the several applications that support TOTP codes, including Google Authenticator, which is free and in the Google Play Store and iOS App Store.
In the case of OTP/TOTP, the password is the "Something You Know" and the time-based pin is the "Something You Have", as it is generated by the application configured with the secret seed.
Hardware Security Key (U2F/YubiKey/FIDO)
Google supports various hardware security keys that support the U2F or FIDO security standard. These keys are manufacturers with a secret Private Key built into the hardware that is impossible to replicate and, when connected to your device over a USB device, Google or another web service, will send it a challenge which uses the private key of the hardware token to respond with a signature that can only be generated with the unique Private Key of your hardware token.
Hardware Security Keys are considered one of the strongest security measures you can do, as they are impossible to replicate. If you do purchase a hardware security token, you may want to consider purchasing a second that can be used as a backup if your primary security token is lost or stolen. Many services, including Google, will allow you to assign multiple security tokens to your account. Your backup security key should be kept in a safe location, preferably one that can be locked.
You can visit the ChromeOS Hardware Security Keys Accessories Page for a list of tested security tokens and locations to purchase.
In the case of U2F/FIDO tokens, the password is the "Something You Know" and the challenge/response generated by the U2F token is the "Something You Have".