Google introduces stronger safeguards for sensitive actions taken in Gmail

Google is introducing stronger safeguards for sensitive actions taken in Gmail in order to help users intercept bad actors. These apply to specific actions including filters, forwarding and IMAP access.

More specifically, the new measures apply to the following actions:

• Filters: Creating a new filter, editing an existing filter, or importing filters.
• Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings.
• IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not)

For any of these actions, if a session is deemed risky, Google will challenge it will with a "Verify it's you" prompt. This prompt will require users to confirm their identity through a second and trusted factor, such as a 2-step verification code. 

If a verification challenge is failed or not completed, users will receive a "Critical security alert" notification on their trusted devices. These measures will ensure that only authorized users can proceed with these actions.

Google noted that this added security feature is currently limited to users who utilize Google as their identity provider and actions taken within Google products. Users relying on SAML (Security Assertion Markup Language) are not supported at this time.

The feature will be available to all Google Workspace customers and users with personal Google Accounts. There is no end-user setting for this feature, they will see "Verify it’s you" challenges if an account action is deemed risky. Google recommends users to enable 2-step verification if they haven't already.

For users in rapid release domains, the rollout will be gradual, taking up to 15 days for full feature visibility, starting on August 23, 2023. Users in scheduled release domains will experience a full rollout, with feature visibility expected within 1-3 days, beginning on September 6, 2023.