Why you need to change your account today
NurPhoto via Getty Images
Update: Republished on May 2 with more security fallout as Microsoft deletes passwords by default and Google and others are urged to do the same.
Google has confirmed the latest warnings — that Gmail accounts are under attack, and has issued some simple, critical advice. But it’s difficult for users to dive beneath all the headlines to work out exactly what they should do. To start with, you must upgrade your email account to keep it safe from attackers. Here’s what to do and why today.
The latest attacks follow recent patterns, mimicking Google’s own support to trick users into giving up credentials. According to Check Point, Google is second only to Microsoft in its likelihood to be aped in an attack. “As we progress through 2025,” Check Point says, “organizations and users must stay alert to the evolving threat of phishing attacks.”
ForbesMicrosoft’s Free Upgrade Offer Hits New High—Check Your Windows PC NowBy Zak Doffman
Google’s first piece of advice follows on from that warning — it will never contact users to discuss to account security. “Reiterate to your readers,” the company tells me, “that Google will not call you to reset your password or troubleshoot account issues.”
The second piece of advice is to upgrade your account security. “Passkeys provide the strongest protection,” Google says. “Once you create a passkey, you can use it to easily sign in to your Google Account, as well as some third-party apps or services. You can also use that passkey to verify it’s you when you make sensitive changes.”
Unlike Microsoft, which pushes users to delete passwords as an account vulnerability if kept alongside passkeys, Google is keeping passwords and two-factor authentication as a backup. But when you set up your passkey, you should change your password and ensure that 2FA is device linked, either through an authentication app or a trusted device login. Do not use SMS.
ForbesGoogle’s Update Decision—Bad News For 50% Of Android UsersBy Zak Doffman
The is especially critical with the rise in AI attacks that are harder to detect and defend, as the FBI has just warned. You’re less likely to see them coming and so you should do all you can to make it impossible for an attack to hit its mark. And per Check Point, “AI threats are no longer theoretical — they’re here and evolving rapidly.”
So, why today? May 1 was World Password Day, and even if you missed the over-hyped day itself, you should act now. Ignore the worst passwords in the world stories, and focus on the key message. It’s time to shift to Passkeys, so much so that Microsoft and others are dubbing this year security jamboree World Passkey Day. It’s a timely reminder to upgrade your Gmail and other accounts before it’s too late.
The FIDO Alliance is charged with pushing passkeys, and its latest research shows adoption is accelerating. “The establishment and growth of World Passkey Day,” its CEO Andrew Shikiar said today, “reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration.”
You can find details on setting up your Google/Gmail passkey here.
I have suggested before that Google should follow Microsoft’s lead and go passwordless by default, not even keeping them around as a back-up. The Windows-maker has generated a raft of headlines this time around by confirming its new default and that users should be deleting passwords from their accounts.
ForbesMicrosoft Warns All Windows Users—Delete Your PasswordBy Zak Doffman
But it’s not all that simple. “Left out of Microsoft’s announcement,” says Ars Technica, “is that even after users create a passkey, they can’t go passwordless until they install the Microsoft Authenticator app on their phone. Microsoft has made Authy, Google Authenticator, and similar apps incompatible, a choice that needlessly inconveniences users and undermines the whole ‘passwordless by default’ marketing message.”
So, still work to be done. But despite that, the core message to upgrade your Gmail account with a passkey and to make those other changes remains. It’s not worth the risk, especially with your Gmail account being the gateway to so many other platforms.