Summary
Google has strengthened the security of its Workspace suite by adding new challenges that users must complete when performing sensitive actions. These challenges can include entering a verification code from Google Authenticator, using a security key, or using a recovery/signed-in device.
The new challenges are designed to catch out attackers who have hijacked a user’s account. For example, if an attacker tries to change the user’s password or add a forwarding address to their email, they will be prompted to complete a challenge. If they fail to complete the challenge, the user will be notified and the attacker will be prevented from making changes to the account.
The new challenges are available for all Workspace customers and can be customized by administrators. Note that Workspace customers include all those using products such as Gmail, Calendar, Drive, or Google Docs Editors Suite (among other apps).
New Gmail Actions that would Trigger Verification
-
Filters: creating a new filter, editing an existing filter, or importing filters.
-
Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings.
-
IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not)
Existing Common Actions that would Trigger Verification
-
View activity saved in your Google Account
-
Change your password
-
View saved passwords
-
Turn on 2-Step Verification
-
Download your data
-
Change channel ownership on YouTube Creator Studio
-
Change Google Ads account budget
-
Buy any other product or service from Google
-
Example: Buy a Google Pixel or Nest device from Google Store
Identity Verification
The device you use to do this must have been registered for a period of seven days minimum:
-
A device associated with the recovery phone number for your account
-
A device that’s signed in to your Google Account
-
For accounts with 2-Step Verification turned on
-
A security key that’s been added to your Google Account
-
A verification code from Google Authenticator
Blog/News Key Points
-
Google has strengthened the security of its Workspace suite by adding new challenges that users must complete when performing sensitive actions.
-
The new challenges are designed to catch out attackers who have hijacked a user’s account.
-
The new challenges are available for all Workspace customers and can be customized by administrators.
-
Identity verification can use recovery/signed-in device or 2FA methods.
Wonder how many read this and go “don’t care, it’s fucking google”.
Don’t know for sure, but if this was posted in the privacy group, probably lots. OTH, from https://www.demandsage.com/gmail-statistics/ , there are 1.8 billion active gmail users, with 121 billion emails (probably including spams) sent a day. If you are using an Android phone (3.6 billion active phones worldwide) and not using custom ROM, you most likely are using Google services.
Yeah I know, I was just thinking of our little community here and the general crowd in IT. I think a lot of us are inclined to try and avoid Google as much as possible.
That’s me. I’m completely moving away from Google, Microsoft and Amazon, and the process is slow, but steady. At keast after the Web Integrity nonsense, I don’t trust Google anymore.