You need to make this Gmail change now
With AI-fueled attacks on Gmail and other email platforms, there has never been more focus on attack resistant account security. This becomes even more critical as threat actors find ways to bypass or steal 2FA codes, setting fire to our safety nets. Google has decided to change how we log into Gmail, but you need to take a different approach.
It’s now time to stop using passwords and 2FA. Microsoft has confirmed its intent to move its billion-plus users to passkeys, rendering passwords and 2FA redundant. But critically Microsoft has also said it’s not enough to setup a passkey, users need to delete their passwords as well, otherwise it leaves a vulnerable route open into an account.
Google has acknowledged the same issue. When Google started to roll out passkeys in 2023, it was hailed as the end of the password. But passwords will remain, it says, “for example when using devices that don’t support passkeys yet.” But while it isn’t yet talking mass deletion, it has said creating a passkey allows us to pay closer attention to the sign-ins that fall back to passwords. Over time, we’ll increasingly scrutinize these as passkeys gain broader support and familiarity.”
As I reported last week, the latest 2FA bypass attacks will accelerate change. And while Google will seemingly resolve network 2FA vulnerabilities with QR codes, that’s an odd decision and it doesn’t actually fix the real problem. Ignore any changes to 2FA and follow the much more critical advice and set up passkeys on all your accounts that support them. And that certainly includes Gmail and any other email you use.
When you do set up your passkey, change your password for something horribly long, complex and unique, and add the strongest 2FA method you can. You won’t use it often, so it doesn’t have to be convenient. Clearly don’t use SMS unless you have no choice.
Longer term, now that Microsoft has been open with its users on all the reasons they need to delete passwords and move wholesale to passkeys, notwithstanding some of the teething issues that remain, what should Google/Gmail users expect? If 2023 was “the beginning of the end of the password,” in its own words, when will come the mandatory push to passkeys with the password/2FA combination finally deleted?
Rather than address the SMS issue, I’d rather see Google and Microsoft push to take passkeys to the next level. Deadlines and a combination of incentives to change and disincentives to stick with the old. No change should be made to 2FA without it being couched in a passkey campaign as the first option. Better securing 2FA as a fallback is fine, but we don’t want to see this as a common login tool.
As I’ve said elsewhere, email is a Byzantine technology that is ripe for disruption. We’re not there yet, with either Gmail or Outlook or any of the other platforms, thus the Xmail tease. But kudos to Google for some of the changes it’s bringing. Shielded email addresses, for example, will make a huge difference in the fight against scam. What we need to see next is transparent on-device scam detection, as we’re seeing in the mobile OS world. That would at least be a start in a much needed email modernization.
Now you’ve finished the article, go set up your passkey unless you’ve done so already. It’s the best way you have of keeping your account safe and secure.