Google is improving security for Gmail's most "sensitive" settings

Alfonso Maruccia

Posts: 753   +259
Why it matters: Google is bringing stronger safeguards to Gmail, which is one of the main services in the company's productivity platform (Workspace). In a few days, users will be required to pass an extra security check-up to confirm their identity while trying to modify certain options in their webmail.

A year after introducing an additional ID check for Workspace accounts, Google is now extending the extra protection layer to Gmail as well. The most popular webmail in the world is also one of the central pillars for the Workspace productivity and collaboration platform, so Google is clearly trying to cut account takeover risks by following a two-step verification approach.

The Mountain View corporation says that the extra verification step will be extended to some "sensitive actions" taken in Gmail options. Users will need to verify their identity (again) when they try to tinker with filters, add a new forwarding email address in the Forwarding and POP/IMAP settings, and enable IMAP access.

When the user engages in one of these actions, Google says, Gmail will evaluate the session where the attempt is occurring. If the attempt is deemed "risky," Google will challenge the user with a "Verify it's you" prompt on a trusted device. A 2-step verification code will then be provided to confirm the action in Gmail settings.

If the ID check-up fails or is not completed, Google will show a "critical security alert" notification on the aforementioned trusted device. The alert should also work as a scare tactic to discourage account takeover by a thief who stole the user's laptop, or for malicious remote desktop apps trying to do the same. In this case, already being logged in with Gmail won't be enough to compromise a user's Google account.

Google also notes that the new, improved security feature only supports users trusting the company as their "identity provider." SAML users are not supported yet. The feature's gradual rollout on "rapid release" domains began on August 23, 2023, with up to 15 days for "feature visibility." Scheduled rollout should start on September 6, 2023.

All Workspace customers and users with personal Google Accounts should have access to the new security feature, Mountain View says. The company also provided some additional resources for system admins to learn how to set the feature up. End users will have no settings to choose from, as they will be automatically served with a "Verify it's you" challenge if an action on their account is deemed risky.

Permalink to story.

What about the people who do not and WILL NOT use 2FA? Hmm? 2FA is flawed and irritating. Go back to asking Secret Security questions. It works better and it can't be hacked.