In a short but powerful post on August 23rd in the official Google Workspace update feed, Gmail usersIt is recommended to set up two-factor verification now. The notice comes as Google begins rolling out an important new security alert system to protect account holders when "sensitive actions" are taking place affecting their Gmail account.
Updates from 25.08. and 26.08. below. This article was originally published on August 24th.
The new security applies to certain sensitive actions in Gmail
The sensitive actions that Google refers to relate specifically to three things in Gmail:
Create, edit or insert a filter.
Add a new forwarding address through Post Office or Internet Protocol settings.
Enable IMAP access mode in settings.
What happens when you take a confidential action in Gmail?
Google said it will "evaluate the session by attempting the action" to determine the level of risk. He hasn't spelled out exactly how this analysis works, but it's understandable since he wants to minimize the opportunities for malicious actors to manipulate the process. However, if any of the above sensitive actions are determined to be unsafe, Gmail will display a message asking you to further verify the account owner's identity. This requires a “second and trusted factor” to be completed, e.g. For example, entering a 2FA code via an authenticator app, text message or phone call, using Google prompts, or a hardware security key.
MORE FOR YOU
If the user does not complete this verification challenge or an invalid action causes failure, a critical security alert will be sent to all trusted devices listed for this account. This gives the user another chance to confirm it was him or take the appropriate steps to secure his Gmail account if not.
MORE FROM FORBES Google warns of deleting Gmail content and photos from December 2023. By Davey Winder
Update 08/25: Mail to the officialsGoogle Workspace-BlogYule Kwan Kin and Andy Wen, Vice President and Director of Product Management, respectively, announced that the use of artificial intelligence is increasing to ensure security, confidentiality and compliance remain at the heart of organizations. The workspace is designed to be cloud-native and "built on zero-trust principles, complemented by AI-powered threat prevention," they wrote.
This recent announcement introduces new controls for zero trust, digital dominance, and threat mitigation. All powered by Google AI.
Google's AI will "automatically and continuously sort and label data in Google Drive." This then enables the application of privacy controls, including data loss prevention and context-sensitive access, based on policies.
There are also improvements in client-side encryption, with the addition of mobile app support for Calendar, Gmail, and Meet.
In addition to 2FA protection for sensitive actions in Gmail, Google makes 2FA “mandatory for select company admins.” This requirement will be phased in beginning later this year, initially for "select manager accounts" of resellers and larger enterprise customers. Later this year, in preview form, there will also be a "Multi-Party Approval" requirement for sensitive actions such as changing 2FA user settings. A request from one admin must be approved by another to complete the action.
Update 08/26: Several readers have complained that setting up 2FA for your Gmail account, i.e. enabling it for your Google account, is not random at all as stated in the article. As an example, look at the first comment on this story where someone says "Google wants cellphone numbers for its own agenda" and forces Gmail users to give out cellphone numbers or ban them from their own accounts. That's wrong. "I agree, that would be wrong if that were the case." But it's not. Google likes to allow anyone not only to create a Google account without entering a phone number, but also to choose the second factor to use for their 2FA account. Sure, the first option will always ask you for a mobile phone number, but there's always a chance to see more options. Here you will learn that having a Google account without a cell phone number with 2FA is not only entirely possible, it's really, really easy.
If you want to enable a second factor without a number for Gmail 2FA, you must first go to your Google account by right-clicking on your account avatar and selecting the option to manage your Google account. From here, go to Security and then 2-Step Verification.
The first option gives you the option to receive 2FA codes via SMS or phone call and will ask for your phone number. It should be noted that Google clearly states that the number is only used for account security. However, if you do not want to provide this, click Show more options. You are now offered the option to use a hardware security key, which is the most secure of the 2FA methods available. However, this requires the purchase of physical keys and setup can be confusing for non-technical users. The second option is the easiest for the vast majority of users, which is Google Prompt. This allows you to choose to send an instant notification to any device that is already connected to your Google account. This can be your phone, a tablet, a laptop or a computer. The message sent is a number that appears in your device's notification and that you then dial to confirm that you're trying to access the account.
As Google itself says, "It's easier to tap a prompt than to type in a verification code." Prompts can also help protect against SIM swapping and other phone number violations."
After enabling this first option for 2FA and if available, Google prompt will always be the default. Alternatively, you can select other options. Again, not all of them require entering a mobile phone number. You can use an authenticator app like Google Authenticator or Authy. If you use a password manager and are considering not doing so, some of the top managers include authentication code generation as part of their offering. I would recommend using a dedicated authentication app as it adds another layer of separation to the process. Finally, you can save or print out a selection of backup codes to use if you don't have access to any of the other 2FA options. Of course, these should be kept very safe.
What Gmail users should do now
As a regular Gmail user, you don't actually have to do anything to configure this new protection from critical security alerts. If Google determines that the sensitive action taken is dangerous, it will automatically display the confirmation message.
However, Google recommends that Gmail users turn on 2FA if they haven't already, to prepare for such a prompt. It's a fairly simple process andYou can find the full steps here. Enabling 2FA protects your Google account from malicious takeover, so it's a no-brainer from a security standpoint.
Google encourages Workspace account admins to visit Help to learn about the options available, including the ability to temporarily disable login prompt messages.
The new system is rolling out now, but it may be a week or two before users see these messages.
MORE FROM FORBESNew security surprise for Google's 3 billion Chrome users By Davey Winder