Gmail will lock important settings behind a pop-up 2FA challenge

by owner

Gmail's security pop-up to change a setting (left) and the more dramatic warning you'll get if someone fails a 2FA attempt.
Enlarge / Gmail’s security pop-up to change a setting (left) and the more dramatic warning you’ll get if someone fails a 2FA attempt.


Today Gmail only asks for your user credentials during the initial login, and that login session can last for weeks at a time. That’s not as secure as it could be, so soon Gmail will start posting two-factor authentication (2FA) challenges if you try to access any “sensitive” settings, even when you’re already logged in.

The newly protected settings are for filters, account forwarding, and IMAP. Soon, poking around in any of these options will boot you into a “Verify it’s you” 2FA prompt, and you’ll have to pass the challenge on your phone (these settings are only available on the web). If this 2FA challenge is failed or is not answered, you’ll get a bright red “Critical security alert” pop-up alerting you to the attempt on all your trusted devices.

This security pop-up is all about trying to stop attackers that have compromised your account. If someone steals your laptop, or a malicious remote desktop app turns on, and you’re already logged in to Gmail, the pop-up should at least keep the attacker away from the worst settings. Filters are a security risk since a lot of other sites notify you of purchases and sensitive changes to your account with an email, and a common first step in an attack is to hide these emails with a filter. Forwarding and IMAP both duplicate your incoming emails to other places and could allow people to quietly spy on you or steal credentials.

The rollout for this feature started yesterday and should take 15 days to roll out to all personal accounts and “rapid release” business accounts. For paid Workspace users on the slower “Scheduled release” setting, a three-day rollout will start on September 6.

Listing image by Google

Leave a Comment