Google Warns Gmail Users Ahead Of New Security Alerts—Set Up 2FA Now

In a concise yet crucial update posted on August 23 to the official Google Workspace announcements, Gmail users are strongly encouraged to enable two-factor verification immediately. This recommendation coincides with Google’s introduction of a new critical security alert system designed to enhance the protection of user accounts when “sensitive actions” are executed, affecting their Gmail accounts.

New Security Applies To Specific Gmail Sensitive Actions

Google’s mention of “sensitive actions” pertains to three specific activities within Gmail:

1. Creating, modifying, or importing a filter.
2. Adding a new forwarding address via the Post Office Protocol or Internet Access Message Protocol settings.
3. Activating IMAP access status from the settings menu.

What Happens If You Perform A Sensitive Action In Gmail?

Google has stated its intention to assess the session attempting these actions to determine the associated risk level. The specific details of this assessment process are not disclosed, understandably so to prevent potential exploitation by malicious actors. However, if Gmail identifies one of the sensitive actions as high-risk, it will prompt the account holder for additional identity verification. This verification process will necessitate the completion of a “second and trusted factor,” such as entering a 2FA code obtained from an authenticator app, a text message, or a phone call. Users can also use Google Prompts or a hardware security key for this purpose.

In the event that the user does not successfully complete this verification challenge or if an unauthorized action triggers a failure, Gmail will send a critical security alert notification to all trusted devices associated with that account. This notification allows the user another opportunity to confirm the legitimacy of the action or take the necessary steps to secure their Gmail account if it is deemed unauthorized.

In an update posted on August 25th to the official Google Workspace blog, Yule Kwan Kin and Andy Wen, Vice President and Director of Product Management respectively, announced the expanded use of AI to prioritize security, confidentiality, and compliance for organizations. They emphasized that Workspace is designed as a cloud-native platform rooted in zero-trust principles and fortified with AI-driven threat defenses.

This recent announcement introduces novel controls encompassing zero-trust principles, digital sovereignty, and threat defense, all powered by Google’s AI capabilities.

Google’s AI technology will be tasked with the continuous and automatic classification and labeling of data stored in Google Drive. This classification will subsequently enable the application of data protection controls, including data loss protection and context-aware access, based on predefined policies.

Enhancements have also been made to client-side encryption, with added support for mobile apps such as Calendar, Gmail, and Meet.

In addition to the 2FA safeguarding sensitive actions in Gmail, Google has announced the mandatory requirement of 2FA for specific enterprise administrators. This requirement will be phased in, commencing later this year, and initially, it will apply to select administrator accounts of resellers and the largest enterprise customers. Furthermore, a new feature called “multi-party approval” for sensitive actions, like modifying user 2FA settings, will be introduced in preview form later this year. This entails that a request initiated by one administrator will necessitate approval from another before the action can be completed.

Update on August 26, 2023: It has been brought to our attention that setting up 2FA for a Gmail account, thereby enabling it for the associated Google account, may not be as straightforward as initially indicated in the article. Some readers have expressed concerns about Google’s mobile phone number requirements. However, it is important to clarify that Google allows users to create an account without providing a mobile phone number. Furthermore, Google provides options for choosing a second factor for account 2FA, not limited to mobile phone numbers. Users can easily set up 2FA without associating their accounts with a phone number. To enable 2FA for Gmail without a phone number, users can navigate to their Google account settings by right-clicking their account avatar and selecting the “manage your Google account” option. From there, they can proceed to the security section and access the 2-Step Verification settings.

When setting up 2FA for your Gmail account, you will encounter several options, depending on your preference and security needs.

The initial option presented to you will involve receiving 2FA codes through text messages or phone calls, and it will request your phone number. Google explicitly states that this number will be solely used for account security. However, if you prefer not to provide your phone number, you can select “show more options” instead. Here, you will have the opportunity to utilize a hardware security key, which is considered the most secure 2FA method available. It’s important to note that this option may require the purchase of physical keys, and it might be somewhat challenging for non-technical users to set up.

The second option, suitable for the majority of users, is Google Prompt. This feature allows you to opt for a prompt notification sent to any device that is currently logged into your Google account. This could be your smartphone, tablet, laptop, or PC. The prompt typically appears as a number in the notification on your device, which you then select to confirm that it’s indeed you attempting to access the account.

As Google emphasizes, “It’s easier to tap a prompt than enter a verification code. Prompts can also help protect against SIM swap and other phone number-based hacks.”

Once you’ve enabled the first 2FA option, with Google Prompt often being the default, you can choose additional methods as fallbacks. Importantly, not all of these alternatives require the input of a mobile phone number. You can opt for an authenticator app like Google Authenticator or Authy. If you use a password manager, some of the leading ones offer authenticator code generation as part of their services. Nevertheless, using a dedicated authenticator app is recommended, as it provides an added layer of security.

Lastly, you have the choice to save or print a set of backup codes. These backup codes come in handy when you don’t have access to any of your other 2FA options. Naturally, it’s essential to store these codes securely to prevent unauthorized access to your account.

What Gmail Users Need To Do Now

For regular Gmail users, configuring the new critical security alert protection is a seamless process, requiring no specific action. If Google detects a sensitive action that poses a risk, it will automatically present the verification prompt.

However, Google strongly recommends that Gmail users enable 2FA (Two-Factor Authentication) if they haven’t already done so to be prepared for potential prompts. Enabling 2FA is a straightforward process that enhances the security of your Google account, and you can find detailed instructions here. It’s a fundamental security step that’s easy to implement.

For administrators of Workspace accounts, Google advises visiting the help center to explore available options, which may include the temporary disabling of login challenge prompts if needed.

The new security system is currently in the process of rolling out and may take a week or two before users begin encountering these prompts.