Gmail Adds Extra Checks, Thwarting Sneaky Hackers
Sensitive actions such as forwarding to be protected by extra 2FA step.
Your email contains the keys to the kingdom: If hackers can silently watch your inbox, they can also break into your other accounts—via password resets.
So Google’s adding authentication to the Gmail settings scrotes use to read your email. In today’s SB Blogwatch, we finally sort out our Passkeys setup.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: NAS Sunnyvale a/k/a Moffett Field.
But Please Don’t Use SMS
What’s the craic? Abner Li reports—“New Gmail ‘Verify it’s you’ prompt”:
“Available for all”
Google Workspace announced a slew of new security measures today, including an additional layer of “Verify it’s you” confirmation when doing something sensitive in Gmail. … To confirm that it’s really the account owner trying to perform the sensitive action, the user will have to perform 2-Step Verification (2SV) or other second/trusted-factor method.
…
“Verify it’s you” for Gmail will be available for all personal Google Accounts and Workspace customers. … It’s rolling out [now].
What should users do? Davey Winder KISSes the issue—“Set Up 2FA Now”:
“Security no-brainer”
Google has said that it will “evaluate the session attempting the action” in order to determine the level of risk. It hasn’t said precisely how this analysis works, but that’s understandable as it will want to minimize the capability for malicious actors to game the process.
…
[It] will require a “second and trusted factor” to be completed, such as inputting a 2FA code from an authenticator app, text message, or phone call, using Google Prompts or a hardware security key. … Google does recommend that Gmail users enable 2FA if they haven’t already done so in order to prepare for any such prompting. It’s an easy enough process to take, and [it] helps protect your Google account from malicious takeover—so it’s a security no-brainer.
What if you don’t have 2FA/MFA enabled? Michael Kan can make an educated guess—“Multi-Factor Challenge”:
“Secondary form of authentication”
It’s not clear how it’ll work for users who haven’t connected a smartphone. … However, we suspect the company will only issue MFA challenges for accounts with the feature activated.
…
The company has already been auto-enrolling Google accounts in multi-factor authentication (MFA), which requires you to log in with a password and a secondary step. … The prompt will ask the user making the change to sign in again through a secondary form of authentication, like a Google-generated notification on the account holder’s smartphone.
But what does “doing something sensitive” mean? Alphabet’s anonymous PR flacks flash the flim flam—“Stronger protection for additional sensitive actions”:
Specifically, actions related to:
Filters: Creating a new filter, editing an existing filter. …
Forwarding: Adding a new forwarding address. …
IMAP access: Enabling the IMAP access status.
Why those actions? Chris Smith explains why Google’s move “might prevent you from getting hacked”:
Hackers might try to set up filters inside Gmail to find specific emails Or to set up forwarding rules. … As for IMAP settings, hackers/attackers might want to access your Gmail emails from their own computers. … After all, it’s not like you visit those settings options that often.
…
Even strong passwords, 2FA and/or passkeys might not be enough to secure your data. There might be instances where an attacker manages to grab one of your devices where you’re already logged in. Maybe it’s someone you don’t expect to be spying on you.
Will it work? ERIFNOMI is a fan:
This seems like a sensible change. Critical and rarely modified settings should require a re-verification, especially for accounts that are left perpetually logged in.
As is NavinF:
Seems reasonable. I guess people who use SMS 2FA are gonna be annoyed, but this is a non-issue for Yubikey and Passkeys users.
But what if I don’t want to give Google my phone number? AmiMoJo sounds slightly frustrated:
How is it 2023 and people still think that 2FA is an SMS message? I use a Yubikey device, and an app on my phone. Google doesn’t have my phone number on my account, and I won’t ever add it as long as they use SMS for account recovery.
Any chance Microsoft will follow suit? sphbecker thinks not:
Microsoft is somewhat hampered by Outlook being a dinosaur of an application. As of now, it is easy to block forwarding, or trigger an admin alert when forwarding rules are set up, but no extra steps needed for the user.
Meanwhile, floyd42 tells a cautionary tale:
Reminds me of the time that someone “helped” my sister … and they added their usernames in with permission to sign into her account. … She had no idea that her “friend” had given himself a backdoor into her email [but] I was suspicious of any dudes helping my sister with something she didn’t need help with.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Richi Jennings (cc:by-nc-sa; leveled and cropped)
