Your Gmail account is set to get a number of welcome security upgrades, but enabling them might mean jumping through several more hoops than expected.
The changes affect what Google calls “sensitive actions” in Gmail, which cover a number of areas, and if the email service detects anything potentially suspicious, the user will be challenged with a “verify it’s you” prompt.
In a blog post, Google said the changes will help boost security for users across the platform, but some may find the alerts over-bearing or even suspicious in themselves, potentially leading to even more confusion.
Gmail security boost
Google categorizes sensitive Gmail actions in several categories, each of which it says can allow threat actors or criminals to compromise a user’s account:
- Filters: creating a new filter, editing an existing filter, or importing filters
- Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings
- IMAP access: Enabling the IMAP access status from the settingsEmpty list
If any of these are triggered, users will be sent their verification check, which typically takes the form of a two-step verification action such as approving a notification on their paired device, or entering an SMS code.
If the user fails their verification challenge, or doesn’t complete it in time, they are sent a “Critical security alert” notification on their trusted device (pictured below), which the user can employ to lock down their account.
The feature will be rolling out to all Google Workspace customers and users with personal Google Accounts now, with no end user action required, although Workspace customers will need to have Google as the identity provider, as SAML is not yet supported.
The news is the latest security update for Gmail in recent months as Google looks to ensure its platform remains safe for users everywhere. Recently, the company added client-side encryption (CSE), a means of protecting and controlling access to personal or corporate data, to Gmail, helping offer an extra layer of protection, as this should mean that no-one can read sent emails or calendar entries but those in an organization and the recipients.
