In a brief but essential August 23 posting to the official Google Workspace updates feed, Gmail users have been advised to set up two-factor verification now. The advice comes as Google starts rolling out a new critical security alert system to help protect account holders when “sensitive actions” are taken that impact their Gmail account.
New Security Applies To Specific Gmail Sensitive Actions
The sensitive actions that Google is referring to are specific to three things within Gmail:
Creating, editing, or importing a filter.
Adding a new forwarding address from the Post Office Protocol or Internet Access Message Protocol settings.
Enabling IMAP access status from settings.
What Happens If You Perform A Sensitive Action In Gmail?
Google has said that it will “evaluate the session attempting the action” in order to determine the level of risk. It hasn’t said precisely how this analysis works, but that’s understandable as it will want to minimize the capability for malicious actors to game the process. However, if one of the aforementioned sensitive actions is determined to be risky, then Gmail will display a prompt asking for further verification of the account holder’s identity. This will require a “second and trusted factor” to be completed, such as inputting a 2FA code from an authenticator app, text message, or phone call, using Google Prompts or a hardware security key.
If the user does not complete this verification challenge, or if an invalid action causes them to fail, a critical security alert notification will be sent to all trusted devices listed for that account. This then gives the user another opportunity to confirm it was them or to take the relevant steps to secure their Gmail account if not.
What Gmail Users Need To Do Now
As an ordinary user of Gmail, there’s actually nothing that’s needed to be done to configure this new critical security alert protection. If Google determines the sensitive action being performed is risky, then it will automatically display the verification prompt.
However, Google does recommend that Gmail users enable 2FA if they haven’t already done so in order to prepare for any such prompting. It’s an easy enough process to take, and the full steps can be found here. Enabling 2FA helps protect your Google account from malicious takeover, so it’s a security no-brainer.
Google advises admins of Workspace accounts to visit the help center to discover the options available to them, including the ability to turn off login challenge prompts temporarily.
The new system is starting to roll out now, but it could take a week or two before users start seeing those prompts.