Skip to main content

What to expect from your Google Account Security

Google Account Security has been central to many of the things I have been doing of late so it was a no-brainer when it came to picking a topic to write an article for the Cyber-security awareness month.

Knowledge about your Google Account’s security is important as it helps you to understand how it works and also for the fact that it is the user's responsibility to ensure the security of their Google accounts. Presently, Google offers four (4) levels of account security on their accounts and this article presents an overview of the details of those four levels and explains how you can best decide on the level of security you require for your account and ways to manage the various security options. 

This understanding of the security levels is also very important from the account recovery perspective as the Google user-verification system looks to verify user ownership beyond all reasonable doubts using the most secure process based on the highest security level enabled on that account.

1. Default Security: It is Google’s default security, which is available on all accounts and includes a range of dynamic and robust security measures that are based on two things. An email address and a mobile phone number that you provide for all identity verification, account security and account recovery purposes. You must ensure the number you enter is a mobile phone number which can accept text messages. 

Note: While Google will display periodic reminders if an account is not updated with those options or prompt you from time to time to confirm if they are still relevant, it is your responsibility, as a responsible owner, to ensure that the contact options always remain functional and accessible.
  1. Help article on how to set up recovery options on the account: https://support.google.com/accounts/answer/183723?hl=en
  2. What happens when Google notices a sign-in from a new/unknown device: https://support.google.com/accounts/answer/7162782?hl=en
2. The 2-step Verification: This is Google’s version of 2-factor Authentication, where in addition to the password, you are asked to submit a second verification code that you would receive from either a text message (SMS), a voice call, an Authenticator app, a batch of 10 previously saved/printed/written down/downloaded backup codes or need to tap “Yes” on a confirmation prompt that is sent out to all eligible devices. It significantly reduces the chances of account hacking because even if someone is aware of the password on the account, they would still not be able to sign in unless they have access to one of the ways to generate or receive the second verification code/prompt or a trusted device which is exempted from asking for the second verification code. 

Note: Once this feature is turned on, be sure to get your backup codes and set up other backup options to avoid the common 2-step verification or account recovery problems.
  1. Help article on how to set up the 2-step verification on the account: https://support.google.com/accounts/answer/185839?hl=en
  2. Setting up 2-step verification options on your Google Account: https://blogs-on-gmail.blogspot.com/2022/09/setting-up-2-step-verification-options.html
  3. How to avoid the common issues related to 2-step verification: https://support.google.com/accounts/answer/185834?hl=en
  4. Help articles on how to sign in with:
    1. Google prompts: https://support.google.com/accounts/answer/7026266?hl=en
    2. Codes from the Authenticator App: https://support.google.com/accounts/answer/1066447?hl=en
    3. Backup codes: https://support.google.com/accounts/answer/1187538?hl=en
    4. Other backup options: https://support.google.com/accounts/answer/1188780?hl=en
3. The Passkey: This is a new security feature and it replaces the old "Phone as a security key" or "PaaSK" option where eligible devices were used as security keys. With Passkeys enabled, you can sign into your account using either your biometric data or your device's locking mechanism and it will bypass the second verification steps on accounts with 2-step verification or the Advanced Protection Program (discussed below).

The details and requirements related to Passkeys are mentioned in this help article - https://support.google.com/accounts/answer/13548313. One section I would particularly urge everyone to go through is the one titled, "Fix a problem about a lost or missing passkey" because it is vital not just from a security point of view, but also from the account accessibility perspective that you know what to do if that happens.

Note: Because this is a device-based security option, you must be mindful of the impact in cases you may need to reset, sell, repair or lend the device to anyone. In those cases, you need to ensure you have other backup options in the form of setting up another device, physical security keys or other 2-step verification options available to you.

4. The Advanced Protection Program: This is an upgrade on the 2-step verification, where in addition to the password (and other 2-step verification options), you are asked to authenticate yourself using a physical key. This protection program applies more restrictions on the types of apps, software programs and devices that can access the account.

Note: When you enable this option, it is always prudent to set up a pair of physical keys. This is to protect against the loss and theft of one, which without a replacement, can make your Google account inaccessible under certain situations.
  1. Help article on how to set up the Advanced Protection Program on the account: https://support.google.com/accounts/answer/7519408?hl=en
  2. Common questions related to the Advanced Protection Program: https://support.google.com/accounts/answer/7539956?hl=en
  3. How to order your security keys: https://support.google.com/accounts/answer/7545682?hl=en
In conclusion, no security measure is impenetrable. So adopting an advanced security measure is no guarantee that your account will not be subsequently hacked or its security otherwise compromised. The account security offered by Google works best when it is combined with other best-known practices such as keeping your phone secure against possible cloning/malware/viruses, using a strong password, safety on shared or someone else’s computer, managing account access for third-party apps and sites, and following Google’s safety tips here.

Comments

  1. This is very frustating.Phone number is a very private stuff.Its even more private then email recovery which is someone can hack into it. I think phone verification should be enough to recover my account.

    Somebody in Google please help me to recover my account. It's my life and money, my photos backup,whatsapp backup, saved passwords and adsense money are in this account.
    My old gmail id sethhoney00@gmail.com.
    Not reset my password pls help me.

    ReplyDelete
    Replies
    1. "I think phone verification should be enough to recover my account."

      -- I have heard this argument from many people and it, IMHO after almost a decade of helping users with account recovery, is a wrong one.

      That's because the other options considered by the system such as familiar device, location, browser, network among others towards account recovery offers a reasonable chance to the user in cases of the phone being lost, stolen , cloned or otherwise made inoperable.

      "Somebody in Google please help me to recover my account."

      -- Google has no email or phone support for any of their free, consumer products and services; and they have since August 2020, stopped offering manual reviews of account recovery cases, which means there is no way for you to (a) contact Google or (b) manage a review of your lost, stolen, hacked or forgotten account for the purpose of recovering it. That is also one of the reason for me to write up this blog so that those who come to read it can better secure their accounts not just to thwart attempts to hack into the account but also make it easier for themselves to recover it, if need be.

      Finally, if you want your issue to be looked at, you are welcome to post in the Google Accounts Help Community by copy-pasting this link - https://support.google.com/accounts/thread/new?hl=en. Be sure to include the relevant details regarding your issue which would help the assisting Product Expert to properly understand your issue and then offer you the necessary advise.

      Delete
  2. No matter what I try I still can't get my google account and Gmail jtony2158@gmail.com back

    ReplyDelete
    Replies
    1. I do not respond to account recovery questions here as it is an open platform. That said, account recovery process now is a DIY one that seeks to determine ownership beyond all reasonable doubts via the attempting user's access to the listed recovery and verification accounts and also to the setup comprising of device/network/location and browser the system considers familiar/trusted using the most secure process enabled on the account. So, if you do not have access to those, the recovery becomes extremely difficult if not impossible.

      Please consider posting about your issue in the specialized Google Accounts Help Community by clicking on this link: https://support.google.com/accounts/thread/new?hl=en

      Delete
  3. How do I find out who is doing this

    ReplyDelete
    Replies
    1. The best option would be to contact your local enforcement or cybercrimes department. Google is not a law enforcement organization and hence, their reports MAY NOT include references to help you locate the individual behind the action.

      That said, the easiest way to check for unauthorized account access/suspicious activity is to click on the Details link below the Last account activity link at the bottom of the Gmail Inbox page. It includes any time that your email was accessed using a regular web browser, a POP client, a mobile device, etc. and lists the IP address that accessed your email, the associated location, as well as the time and date. If you find any suspicious IP addresses that may have been used to compromise your account(use a reverse IP lookup (http://ip-lookup.net) to acquire more details about the IP and confirm that it is (or not) something suspicious.).

      You can visit the devices activity page (https://myaccount.google.com/device-activity) to check on the recent devices used to access your account and look into the details therein. You can sign out of them by clicking the 3-dot (more/overflow) icon at the top-right corner of individual device tile.

      Delete

Post a Comment

Please do not post spam or promote your own site(s). All comments are moderated and such comments will not be published.

Also, please keep your comment relevant to the topic of the article.

Finally, please do not post any of your personally identifiable information such as phone number, email address or other important details as this is an open platform.

Popular posts

Gmail 101

Wendy Durham (CWD in her A Gmail Miscellany blog and wdurham in the Gmail Help Forum ) was a Product Expert and a prolific contributor when it came to explaining the intricacies of Gmail and Google accounts. Due to changes to Gmail and Google Accounts over the recent years, some of her well-known blog articles are no longer applicable. The three most used articles have been updated here to be consistent with the current version of Gmail and in some cases, Google Account. This will keep them useful going forward as a tribute to her dedication to user education. The current version of the article is updated based on the changes introduced in the Gmail UI as of January 2022, following the announcement here .  All your Gmail basics in one place! A primer for new users of Gmail, which explains how to find your way around Google's innovative email service and to perform the basic email tasks of reading messages, sending messages and organizing your mail using Gmail's web interfac...

Revisiting Canned Responses (Templates) in Gmail

I wrote my first blog on Canned Responses here - Exploring the Advanced Tab in Gmail Settings: About Canned Responses , noting "Believe it or not, there is no article on Canned Responses in the Gmail Help Centre. Probably because it has always been a lab feature in the past and now included under the Advanced tab under Gmail settings in the new Gmail. So, today we take a look at this very popular feature in Gmail and the different ways we can use it.". That has remained the case, so with a change of UI, there is a need to rewrite the tutorial on how we can perform the following functions for a Canned Response or as they are now known, Templates . Create a Template Insert a Template Edit or Overwrite a Template Delete a Template Thankfully, the prerequisites haven't changed. To start using Templates in Gmail, it needs to be enabled from the Advanced tab under Gmail settings. As always, be sure to click on the Save Changes button on the bottom of the page. ...