Google offers a tool called the Security Checkup. As you'd expect, this tool walks you through the process of checking the security settings in your Google account. Now, you might think that this is only something you need to do once. After all, once you've dialed your settings the way you like them, why would you ever need to change them again? In my experience, however, most people's Google accounts (including mine) tend to become more porous over time. Sure, you had your account all locked down when you first attended your IT orientation, but then you started authorizing trusted devices. You logged into other computers and phones. Maybe you changed phones or got a new computer. You allowed account access for several 3rd party applications. In short, you had to allow points of access to your account, kind of like leaving doors to your house unlocked.
Google's Security Checkup is a lot like to doing a safety walkthrough of your house. Is the spare key still in its hiding place? Are the ground floor windows locked? Does the front door lock properly? Are the emergency numbers on the fridge up-to-date? Do you know where the fire extinguisher, water main, and electrical breakers are? Unlike doing a walkthrough of your house, however, the Google Security Checkup only takes two minutes and almost no effort. I recommend running the Security Check periodically, maybe every four months. The rest of this article will show you how.
Running the Google Security Checkup
1. Navigate your web browser to myaccount.google.com. Make sure you're logged in with your TSS credentials.
2. Scroll down to the box labeled "Security Checkup" and click 'GET STARTED'.
Google Security Checkup in Four Steps
1. First up, you'll be asked to verify your recovery phone and email. These are like the spare key you've hidden outside your house: if you get locked out or lose your keys (forget your password), these recovery options will get you back in. I recommend using a cell phone number and your primary personal email account. Also note: you can always request a password reset from the IT helpdesk if you get locked out of your account. When you're happy with your choices here, click 'DONE'.
2. Next up, you'll be prompted to look at your 'connected devices'. These are all the devices used to access your Google account in the last month. This is like reviewing the security camera footage of your front door to see who's been coming and going. Take a look at the list and see if anything looks fishy to you.
If you do spot an unfamiliar device, you can click on the small drop-down arrow next to it for more information. For example, if I see a Windows login I don't recognize and I look at the details, I'll see where the login happened, what browser (and version) was being used, and even the name of the computer:
If everything looks good, click on "LOOKS GOOD" at the bottom of the devices pane. If something DOESN'T look good (e.g. you see 4 logins from North Korea), click SOMETHING LOOKS WRONG. In addition, at this point you should contact the IT department for assistance with securing your account.
3. Next up, you'll be asked to review your account permissions. This list shows all of the 3rd party apps and services that have access to your account, kind of like looking at the list of everyone who has a spare key to your house. The list will show you which apps have spare keys to your house and what they can do with those keys in the second column:
What should you do with this? First of all, you should scan down the list remove any apps that you don't recognize. Second, you should also remove access to any apps you're not using any more. For instance, in my example above, I granted access to the Avery Label Merge app; I don't have plans to do any more mail merges in the future, so I'm going to remove this from my list. You can be pretty cavalier about removing apps, since it's easy to grant them permissions again if you need to. If you're on the fence about removing an app, just go ahead and do it; you won't cause any lasting problems and it's better to err on the side of caution.
Finally, be on the lookout for any apps that 'has full access to your Google Account'. This is an extremely powerful level of access, allowing the app to do ANYTHING to your account, other than change your password, delete your account, or make payments with Google Wallet. Think of 'full access' like a set of keys to your house, your car, your bike lock, your safe deposit box, and your office: you'd only give that key ring to someone you really trust.
Not many apps need (or deserve) that level of access, so give extra scrutiny to any app with full account access. Once you're finished reviewing your apps, click DONE.
4.If you've enabled 2-step verification for your account (and if you haven't already, you probably should; here's how), you'll also get a chance to review those permissions. I'd recommend using either a Google prompt or a TOTP-based app (like Google Authenticator), as your primary verification option, with a mobile phone as a backup.
Once you're finished, you can click DONE and sit back smugly knowing that you've just made your digital life more secure. As I've written before, however, security isn't a one-time checklist, it's an ongoing process, I'd suggest running the Security Checkup every few months. I just put a reminder on my calendar that pops up every three months.