new security changeOPA Images/LightRocket via Getty Images
In a brief but important August 23 post in the official Google Workspace update feed, Gmail users were advised to set up two-factor verification now. The advice comes as Google is beginning to roll out a new critical security alert system to protect account holders when “sensitive actions” are taken affecting their Gmail account.
Updates from 25.08. and 26.08. below. This article was originally published on August 24th.
New security applies to certain sensitive Gmail actions
The sensitive actions that Google refers to relate specifically to three things within Gmail:
Create, edit or import a filter.
Adding a new forwarding address from the Post Office Protocol or Internet Access Message Protocol settings.
Enabling IMAP access status via settings.
What happens when you take a confidential action in Gmail?
Google has stated that it will “evaluate the session in which the action is performed” to determine the level of risk. It hasn’t been said exactly how this analysis works, but that’s understandable as it aims to minimize the possibility for malicious actors to manipulate the process. However, if any of the above sensitive actions are found to be risky, Gmail will display a prompt asking for further verification of the account owner’s identity. This requires a “second and trusted factor” to be completed, e.g. B. Entering a 2FA code through an authenticator app, text message, or phone call using Google Prompts or a hardware security key.
is sent to all Google trusted devices
If the user does not complete this verification challenge or an invalid action causes failure, a critical security alert will be sent to all trusted devices listed for this account. This then gives the user another opportunity to confirm their identity or take the appropriate steps to secure their Gmail account if they don’t.
MORE FROM FORBESGoogle warns of deleting Gmail and Photos content from December 2023By Davey Winder
Update from 08/25: Release to the officials Google Workspace blogYule Kwan Kin and Andy Wen, Vice President and Director of Product Management respectively, have announced how the use of AI will be expanded to ensure security, confidentiality and compliance remain at the forefront for businesses. Workspace is designed to be cloud-native and “based on zero-trust principles, complemented by AI-powered threat prevention,” they wrote.
This latest announcement unveils new controls for zero trust, digital sovereignty, and threat mitigation. All powered by Google AI.
Google’s AI will “automatically and continuously classify and label data in Google Drive.” This then enables the application of privacy controls, including data loss prevention and context-sensitive access, based on policies.
There are also improvements in client-side encryption, with mobile app support for Calendar, Gmail, and Meet.
In addition to 2FA protection for sensitive actions in Gmail, Google also stated that 2FA is “mandatory for select company admins.” This requirement will be phased in later this year, initially for “Select Administrator accounts” of resellers and the largest enterprise customers. Later this year, in preview form, there will also be a requirement for “multi-party approval” for sensitive actions, such as changing users’ 2FA settings. A request from one administrator must be approved by another for the action to complete.
Update 8/26: Several readers have complained that setting up 2FA for your Gmail account, i.e. enabling it for your Google account, is anything but a given as mentioned in the article. As an example, look at the first comment on this story where someone says that “Google wants cell phone numbers for its own agenda” and forcing Gmail users to give out cell phone numbers or ban them from their own accounts is incorrect. ” I agree, that would be wrong if it were. But that’s not it. Google happily allows anyone to not only create a Google account without entering a phone number, but the same goes for choosing the second factor to use for the 2FA of the account. Sure, the first option will always ask for a mobile phone number, but there’s always a chance to show more options as well. Here you will discover that creating a Google account without a mobile number with 2FA is not only hassle-free, it is actually very simple.
If you would like to enable a second factor without a number for Gmail 2FA, you must first access your Google account by right-clicking on your account avatar and selecting the “Manage Google Account” option. From here, go to Security and then 2-Step Verification.
Your mobile numberDavey Winder
The first option gives you the choice to receive 2FA codes via SMS or phone call and will ask for your phone number. It should be noted that Google is very clear that the number is only used for account security. However, if you don’t want to provide this, click “Show more options” instead. You are now offered the option to use a hardware security key, which is the most secure of the 2FA methods available. However, this requires the purchase of physical keys and the setup can be confusing for non-technical users. The second option is the easiest for the vast majority of users, which is Google Prompt. This allows you to choose to send an instant notification to any device that’s already signed into your Google account. This can be your phone, a tablet, a laptop or a PC. The request sent is a number that appears in the notification on your device. You can then select this to confirm that you are trying to access the account.
As Google itself says, “It’s easier to tap a prompt than to type in a verification code.” Prompts can also help protect against SIM swapping and other phone number-based hacks.”
Once you’ve enabled that first option for 2FA and Google Prompt is always the default when available, you can choose others as a fallback option. Again, not all of them require entering a mobile phone number. You can use an authenticator app like Google Authenticator or Authy. If you use a password manager, and please consider doing so if you don’t, some of the leading providers include authentication code generation as part of their offering. I would still recommend using a dedicated authentication app as it adds another layer of separation to the process. Finally, you can save or print out a selection of backup codes to use if you don’t have access to any of your other 2FA options. Of course, these should be kept very safe.
What Gmail users need to do now
As a regular Gmail user, there’s really nothing to do to configure this new protection from critical security alerts. If Google determines that the sensitive action taken is risky, the confirmation prompt will appear automatically.
However, Google recommends that Gmail users turn on 2FA if they haven’t already, to prepare for such a prompt. The process is quite simple and you can find the complete steps here. Enabling 2FA helps protect your Google account from malicious takeover, so it’s a no-brainer for security reasons.
Google encourages Workspace account admins to visit Help to learn about the options available to them, including the ability to temporarily disable sign-in prompts.
Rollout of the new system is starting now, but it could be a week or two before users see these prompts.
MORE FROM FORBESNew security surprise for Google’s 3 billion Chrome usersBy Davey Winder Follow me on Twitter or LinkedIn. Check out my website here or some of my other work.
Davey has been a veteran technology journalist and contributing editor at PC Pro Magazine for four decades, a position he has held since the first issue was published in 1994.
New: You can now continue to follow me mastodon as well as Twitter
As a co-founder of the Forbes Straight Talking cyber video project, which won the Most Educational Content category at the European Cybersecurity Blogger Awards 2021, Davey has been a freelance technology journalist for the past 30 years. The author of 25 published books, Davey’s work has appeared in The Times, The Sunday Times, The Guardian, The Observer, The Register, Infosecurity Magazine, SC Magazine, IT Pro and Digital Health News to name a few.
Davey has received numerous awards from his peers over the decades, most recently being named Cyber Writer of the Year by Security Serious in 2020. He was previously a three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) and was named 1996 BT Technology Journalist of the Year for a pioneering piece in PC Pro Magazine entitled “Threats to the Internet”. In 2011, Davey was honored with the Enigma Award for his lifetime contribution to IT security journalism.
Contact Davey confidentially via email at [email protected] or direct message on Twitter if you have a cybersecurity, hacking, privacy or espionage (the more technical the better) story you would like to disclose or research and share.
Read moreRead less