Google Confirms Most Users Must Upgrade Gmail And Other Accounts
Most accoiunts need an upgrade, says Google.
Google has confirmed another atack on Gmail users this week. Yet again, its own infrastructure has been exploited to compromise user accounts. And yet again, it comes with another warning for users to upgrade their accounts — this is now a must.
Earlier this month, I covered Google’s warning that most of its users still only use basic password security and are wide open to data breaches and attacks. “We want to move beyond passwords altogether,” Google said, pushing users to replace them.
Passkeys, it says, “are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.” Put simply, this links account security to hardware security, and means there are no passwords to steal or two-factor authentication (2FA) codes to bypass or intercept.
While that is critical for Gmail users, it’s actually much wider. Google reached out to me after that article, wanting to emphasize that the benefits are more significant and important for its users: Adding a passkey to a Google account protects all the services and platforms that can be accessed by that user account. Gmail is only half the story.
Even if most user accounts were secured by passwords and 2FA codes, there would still be a push to passkeys. And while Google, Microsoft and others make 2FA mandatory, the reality is that there’s still a risk that codes can be shared even if they can’t be stolen. That was the crux of the latest Gmail attack, tricking users into sharing codes.
Scams and Protections (June 2025)
The raft of headlines this week around a new 16 billion record data breach should focus minds, even if “this is not a new data breach, or a breach at all,” per Bleeping Computer. Google’s latest survey still paints a bleak picture. Although “60% of U.S. consumers say they “use strong, unique passwords,” less than 50% “enable 2FA.”
The truth is that the only form of simple 2FA is SMS codes, which are sent quickly without having to exit the app or click or tap. They even autofill and often auto-delete. But SMS is woefully insecure, it’s the worst possible 2FA option. And anything else — authenticator apps, physical keys, even trusted device or app sign-ins — is more painful.
Passkeys are the opposite. They’re even easier than passwords and SMS 2FA. The code (which you never see) combines your login ID, password and 2FA into a simple sign-in process authenticated by your device security — ideally biometrics. And because there is no code you can see or copy, you can’t share the passkey even if you want to. Even if any of the underlying code is stolen, it only works on your actual device.
Google is right — this is about much more than Gmail, even if those email account attacks generate headline after headline. While there are some misgivings about the dominance and data overreach in big tech using its span of control to sign you into multiple services, even those they don’t own or control, it is more secure.
As Google says, “when you pair the ease and safety of passkeys with your Google Account, you can then use Sign in with Google to log in to your favorite websites and apps — limiting the number of accounts you have to maintain.”