Google takes security very seriously, especially when it comes to logging in to your account. Even market giants such as Yahoo have fallen prey to leaks, but not Gmail. At an enterprise level, security is of utmost importance, and no amount of it can protect a network against human error. To beef up their already watertight security, the company has announced a new sign-in feature that should help strengthen it further. The feature was announced in a blog post today that says:
If your organization uses SAML to sign users in to G Suite services*, those users will soon see an additional step in the process when using Chrome as their web browser. Starting on May 7th, 2018, after signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen will provide an additional layer of security and help prevent users from unknowingly signing in to an account created and controlled by an attacker.
Google is bringing a new sign-in feature to all Google account holders. The feature is simple, yet effective and will go a long way to reduce the number of people falling prey to phishing attacks. It simply asks users to verify if the account they are signing into is their own account. Google further adds that this is designed to prevent attackers from signing users into accounts they don’t control.
This isn’t something that will directly affect all logins, but rather focuses on securing third-party logins, such as those performed by SAML SSO. In short, most users won’t ever see this screen appear.
Previously, would-be attackers could trick a user into clicking a link that would instantly and silently sign them into a Google Account that they control. It was possible because Google's SAML single sign-on (SSO), didn't require user interaction to complete a sign-in.
The extra step asks the user to ensure that the account name shown is the one they intend to sign in to. To ensure minimal disruption, Google says that this feature will only show once per account, per device. It is very likely that most users won't even see this screen, owing to the nature of logins involved.
News Source: 9to5google