In a brief but essential August 23 posting to the official Google Workspace updates feed, Gmail users have been advised to set up two-factor verification now. The advice comes as Google starts rolling out a new critical security alert system to help protect account holders when “sensitive actions” are taken that impact their Gmail account.
08/25 update below. This article was originally published on August 24.
New Security Applies To Specific Gmail Sensitive Actions
The sensitive actions that Google is referring to are specific to three things within Gmail:
Creating, editing, or importing a filter.
Adding a new forwarding address from the Post Office Protocol or Internet Access Message Protocol settings.
Enabling IMAP access status from settings.
What Happens If You Perform A Sensitive Action In Gmail?
Google has said that it will “evaluate the session attempting the action” in order to determine the level of risk. It hasn’t said precisely how this analysis works, but that’s understandable as it will want to minimize the capability for malicious actors to game the process. However, if one of the aforementioned sensitive actions is determined to be risky, then Gmail will display a prompt asking for further verification of the account holder’s identity. This will require a “second and trusted factor” to be completed, such as inputting a 2FA code from an authenticator app, text message, or phone call, using Google Prompts or a hardware security key.
If the user does not complete this verification challenge, or if an invalid action causes them to fail, a critical security alert notification will be sent to all trusted devices listed for that account. This then gives the user another opportunity to confirm it was them or to take the relevant steps to secure their Gmail account if not.
08/25 update: Posting to the official Google Workspace blog, Yule Kwan Kin and Andy Wen, vice president and director of product management respectively, have announced how the use of AI is being expanded to ensure security, confidentiality, and compliance remain front and center for organizations. Workspace was architected as cloud-native and “rooted in zero-trust principles augmented with AI-powered threat defences,” they wrote.
This latest announcement reveals new zero-trust, digital sovereignty, and threat defence controls. All powered by Google AI.
Google’s AI will “automatically and continuously classify and label data in Google Drive.” This will then enable data protection controls, including data loss protection and context-aware access, to be applied based on policy.
There are also enhancements to client-side encryption, with mobile app support added for Calendar, Gmail, and Meet.
As well as the 2FA protection for sensitive actions in Gmail, Google also said it is making 2FA “mandatory for select enterprise administrators.” This requirement will be phased in starting later this year, and initially apply to “select administrator accounts” of resellers and the largest enterprise customers. Also arriving, in preview form, later this year, will be a requirement for “multi-party approval” for sensitive actions such as changing user 2FA settings, for example. A request from one administrator will need to be approved by another for the action to complete.
What Gmail Users Need To Do Now
As an ordinary user of Gmail, there’s actually nothing that’s needed to be done to configure this new critical security alert protection. If Google determines the sensitive action being performed is risky, then it will automatically display the verification prompt.
However, Google does recommend that Gmail users enable 2FA if they haven’t already done so in order to prepare for any such prompting. It’s an easy enough process to take, and the full steps can be found here. Enabling 2FA helps protect your Google account from malicious takeover, so it’s a security no-brainer.
Google advises admins of Workspace accounts to visit the help center to discover the options available to them, including the ability to turn off login challenge prompts temporarily.
The new system is starting to roll out now, but it could take a week or two before users start seeing those prompts.