The information below was sent via email to the IT Security Community and Frontline Notify groups on May 3, 2018. It is intended for anyone who uses the Chrome web browser to access Google at U-M.
Beginning Monday, May 7, Google is rolling out a new security feature that requires users to verify their identity when using the Chrome browser. Members of the U-M community who encounter this when logging in to Google at U-M may be surprised and wonder whether it is safe to follow the Google prompts.
Please share the information below with those in your unit to let them know what to expect and to reassure them that it is okay for them to complete the Google Chrome verification process.
What Chrome Users Will See
When you log in to your Google at U-M account using the Chrome web browser on or after May 7, you will see an additional request from Google asking you to verify your identity. You will not see this screen when using other web browsers.
- From Google Chrome, log in to Google at U-M. You will be directed to the U-M Weblogin page to log in with your uniqname and UMICH (Level-1) password.
- Instead of getting into Google at U-M immediately, you will see a Google Verify it's you screen asking you to verify your email address.
- Check that the address is indeed your U-M email address in the form of email@example.com (where youruniqname has been replaced with your actual uniqname).
- If the address is correct, click Continue. If you do not recognize the address, contact the ITS Service Center.
Again, you will not see the verification screen if you are using another web browser—such as Firefox or Safari—or if you are using an app, such as Gmail on a smartphone.
Google currently says "this feature will only be shown once per account per device." Google says it is working to minimize disruption caused by the prompt. See the G Suite Update for details.
Security Tip: In general, clicking a button to confirm an address poses minimal risk. However, you should be suspicious of prompts for your user name and password (see Look Before You Log In).
Why Google Is Doing This
According to Google, "This new screen is intended to prevent would-be attackers from tricking a user (e.g., via a phishing campaign) into clicking a link that would sign them in to a Google Account the attacker controls." If that were to happen, you would likely see an unfamiliar address on the Google Verify it's you screen.
The new security feature is designed to thwart attacks like one that targeted Google users last May (see Google adds SSO verification check to G Suite). In that attack, some Google users received an invitation to view a Google Doc. The invitation came from what appeared to be a known contact, and the first part of the URL made it look like it was hosted by Google. Those who clicked the link to open the document, however, were silently logged into an account set up by the attackers. The attackers could then send out spam email from the victim's account, inviting their contacts to open the malicious Google Doc.
Turn-on Two-Factor for Additional Protection
If you haven't yet turned on two-factor for your UMICH account to protect your Google at U-M account and your direct deposit and other personal information in Wolverine Access, we encourage you to turn on two-factor for U-M Weblogin.
- Coming May 7th, 2018: A more secure sign-in flow on Chrome (G Suite Updates, 4/25/18)
- Google adds SSO verification check to G Suite (Naked Security by Sophos, 4/30/18)
- Google beefs up Gmail security on Chrome to protect against phishing attack (International Business Times 4/30/18)