Sensitive actions in Gmail fall under three categories:
- Filters: Creating a new filter, editing an existing filter, or importing filters.
- Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings.
- IMAP access: Enabling the IMAP access status from the settings.
Each can be used to let a nefarious third party access emails without your awareness, with Google Security Checkup already showing a warning about forwarding.
Google will “evaluate the session attempting the action, and if it’s deemed risky, it will be challenged with a ‘Verify it’s you prompt.’” To confirm that it’s really the account owner trying to perform the sensitive action, the user will have to perform 2-Step Verification (2SV) or other second/trusted-factor method.
If verification fails or is not completed, the user will get a “Critical security alert” on trusted devices to counter the attempt and lock down the accounts.
“Verify it’s you” for Gmail will be available for all personal Google Accounts and Workspace customers. In the latter case, Google has to be the identity provider with SAML not supported “at this time.” It’s rolling out starting today:
More on Gmail:
FTC: We use income earning auto affiliate links. More.