Beginning Monday, May 7, Google is rolling out a new security feature that requires users to verify their identity when using the Chrome browser.

Verifying Your Identity

When you log in to your Google at U-M account using the Chrome web browser on or after May 7, you will see an additional request from Google asking you to verify your identity. You will not see this screen when using other web browsers.

1. From Google Chrome, log in to Google at U-M. You will be directed to the U-M Weblogin page to log in with your uniqname and UMICH (Level-1) password.

2. Instead of getting into Google at U-M immediately, you will see a Google Verify it's you screen asking you to verify your email address.
   

3. Check that the address is indeed your U-M email address in the form of uniqname@umich.edu (where youruniqname has been replaced with your actual uniqname).

4. If the address is correct, click Continue. If you do not recognize the address, contact the ITS Service Center.

Again, you will not see the verification screen if you are using another web browser — such as Firefox or Safari — or if you are using an app, such as GMail on a smartphone.

Google currently says "this feature will only be shown once per account per device;" Google says it is working to minimize disruption caused by the prompt. See the G Suite Update for details.

Security Tip: In general, clicking a button to confirm an address poses minimal risk. However, you should be suspicious of prompts for your user name and password (see Look Before You Log In).

Why Google Is Doing This

According to Google, "This new screen is intended to prevent would-be attackers from tricking a user (e.g., via a phishing campaign) into clicking a link that would sign them in to a Google Account the attacker controls." If that were to happen, you would likely see an unfamiliar address on the Google Verify it's you screen.

The new security feature is designed to thwart attacks like one that targeted Google users last May (see Google adds SSO verification check to G Suite). In that attack, some Google users received an invitation to view a Google Doc. The invitation came from what appeared to be a known contact, and the first part of the URL made it look like it was hosted by Google. Those who clicked the link to open the document, however, were silently logged into an account set up by the attackers. The attackers could then send out spam email from the victim's account, inviting their contacts to open the malicious Google Doc.

Turn-on Two-Factor for Additional Protection

If you haven't yet turned on two-factor for your UMICH account to protect your Google at U-M account and your direct deposit and other personal information in Wolverine Access, we encourage you to turn on two-factor for U-M Weblogin.

References

• Coming May 7th, 2018: A more secure sign-in flow on Chrome (G Suite Updates, 4/25/18)

• Google adds SSO verification check to G Suite (Naked Security by Sophos, 4/30/18)

• Google beefs up Gmail security on Chrome to protect against phishing attack (International Business Times, 4/30/18)

Please contact us if you have any further questions.