Why you need to change your account today
Update: Republished on May 4 with a critical new fix that impacts Gmail users and more information on passkeys and plans to delete passwords altogether.
Google has confirmed the latest warnings — that Gmail accounts are under attack, and has issued some simple, critical advice. But it’s difficult for users to dive beneath all the headlines to work out exactly what they should do. To start with, you must upgrade your email account to keep it safe from attackers. Here’s what to do and why today.
The latest attacks follow recent patterns, mimicking Google’s own support to trick users into giving up credentials. According to Check Point, Google is second only to Microsoft in its likelihood to be aped in an attack. “As we progress through 2025,” Check Point says, “organizations and users must stay alert to the evolving threat of phishing attacks.”
Google’s first piece of advice follows on from that warning — it will never contact users to discuss to account security. “Reiterate to your readers,” the company tells me, “that Google will not call you to reset your password or troubleshoot account issues.”
The second piece of advice is to upgrade your account security. “Passkeys provide the strongest protection,” Google says. “Once you create a passkey, you can use it to easily sign in to your Google Account, as well as some third-party apps or services. You can also use that passkey to verify it’s you when you make sensitive changes.”
Per FIDO Alliance, the organization charged with promoting passkey adoption: “A password is something that can be remembered and typed, and a passkey is a secret stored on one’s devices, unlocked by the user the same way they unlock their device (biometrics, PIN, pattern, etc.). Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets. Passkeys simplify account registration for apps and websites, are easy to use, work across all of a user’s devices, and even other devices within physical proximity.”
Unlike Microsoft, which pushes users to delete passwords as an account vulnerability if kept alongside passkeys, Google is keeping passwords and two-factor authentication as a backup. But when you set up your passkey, you should change your password and ensure that 2FA is device linked, either through an authentication app or a trusted device login. Do not use SMS.
Google has said it wants to do the same, to be rid of passwords altogether, but that’s not happening quickly. Per one Google “Techspert” when the security upgrade was released: “Yes, passkeys will replace passwords. It’s even broader than that. I’d say our vision for passkeys is to not only get rid of passwords, but also eliminate all the Band-Aids the industry has designed to make up for the fact that passwords are so vulnerable.”
This is especially critical now, with the rise in AI attacks that are harder to detect and defend, as the FBI has just warned. You’re less likely to see them coming and so you should do all you can to make it impossible for an attack to hit its mark. And per Check Point, “AI threats are no longer theoretical — they’re here and evolving rapidly.”
So, why today? May 1 was World Password Day, and even if you missed the over-hyped day itself, you should act now. Ignore the worst passwords in the world stories, and focus on the key message. It’s time to shift to Passkeys, so much so that Microsoft and others are dubbing this year security jamboree World Passkey Day. It’s a timely reminder to upgrade your Gmail and other accounts before it’s too late.
The FIDO Alliance is charged with pushing passkeys, and its latest research shows adoption is accelerating. “The establishment and growth of World Passkey Day,” its CEO Andrew Shikiar said today, “reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration.”
You can find details on setting up your Google/Gmail passkey here.
I have suggested before that Google should follow Microsoft’s lead and go passwordless by default, not even keeping them around as a back-up. The Windows-maker has generated a raft of headlines this time around by confirming its new default and that users should be deleting passwords from their accounts.
Microsoft warns “the number of password-based cyberattacks has increased dramatically. Bad actors know that the password age is ending, and that the number of easily compromised accounts is shrinking. In response, these bad actors are devoting considerable resources to automating brute force and phishing attacks against any account still protected by a password. Last year, we observed a staggering 7,000 password attacks per second (more than double the rate from 2023). As passkeys become the new standard, expect increased pressure from cyberattackers on any accounts still protected by passwords or other phishable sign-in methods.”
But it’s not all that simple. “Left out of Microsoft’s announcement,” says Ars Technica, “is that even after users create a passkey, they can’t go passwordless until they install the Microsoft Authenticator app on their phone. Microsoft has made Authy, Google Authenticator, and similar apps incompatible, a choice that needlessly inconveniences users and undermines the whole ‘passwordless by default’ marketing message.”
And that’s not Microsoft’s only problem this week —albeit the other one impacts Gmail users and shows that they’re not the only accounts needing an upgrade. As explained by Bleeping Computer, “Microsoft has resolved an issue with a machine learning model that mistakenly flagged emails from Gmail accounts as spam in Exchange Online.”
According to the company, “we’ve identified that our machine learning (ML) model, which safeguards Exchange Online against risky email messages, is incorrectly identifying legitimate email messages as spam due to their similarity to email messages used in spam attacks, which is resulting in impact.”
Now that it’s fixed, Microsoft says “we’re continuing to investigate opportunities to improve our ML detection process to reduce false positive detections and prevent similar future impact.”
Meanwhile, the core message for Gmail users it to upgrade your account with a passkey and to make those other changes remains. It’s not worth the risk, especially with your Gmail account being the gateway to so many other platforms.
