Google offers a tool called the Security Checkup. As you'd expect, this tool walks you through the process of checking the security settings in your Google account. Now, you might think that this is only something you need to do once. After all, once you've dialed your settings the way you like them, why would you ever need to change them again? In my experience, however, most people's Google accounts (including mine) tend to become more porous over time.
Sure, you had your account all locked down when you first attended your IT orientation, but then you started authorizing trusted devices. You logged into other computers and phones. Maybe you changed phones or got a new computer. You allowed account access for several 3rd party applications. In short, you had to allow points of access to your account, kind of like leaving doors to your house unlocked.
Google's Security Checkup is a lot like to doing a safety walkthrough of your house.
- Is the spare key still in its hiding place? Are the ground floor windows locked?
- Does the front door lock properly?
- Are the emergency numbers on the fridge up-to-date?
- Do you know where the fire extinguisher, water main, and electrical breakers are?
Unlike doing a walkthrough of your house, however, the Google Security Checkup only takes two minutes and almost no effort. I recommend running the Security Check periodically, maybe every four months. The rest of this article will show you how.
Running the Google Security Checkup
1. Navigate your web browser to myaccount.google.com. Make sure you're logged in with your TSS credentials.
2. Select 'Security' from the left-hand sidebar, then click the 'See details' link in the first main box you see. In my example, this box is labeled 'your account is protected', but you may see a different message.
Google Security Checkup in Five Steps
The Google Security checkup is divided into 5 sections, each of which you can expand to see recommendations and take actions.
1. First, you'll see a list of all of the devices where you're account is logged in. You can click on any of these sessions to learn more information, or log out of that device. If there are any devices where your account has been inactive for a while, Google will suggest that you log out.
2. Next up, you can view any recent security activity. Google will flag any significant account activity (like changing your password or exporting your data) here for you to review:
If you do spot any unfamiliar activity, press the button below and you'll be prompted to change your password.
3. Next up, you'll be asked to review your 2-step verification settings. This component will let you know if you have 2-step verification enabled for you account and what factors you've enabled to prove your identity.
4. The fourth step of the Security Checkup will show third-party applications that can access your TSS Google Account data.
What should you do with this? First of all, you should scan down the list remove any apps that you don't recognize. Second, you should also remove access to any apps you're not using any more. You can be pretty cavalier about removing apps, since it's easy to grant them permissions again if you need to. If you're on the fence about removing an app, just go ahead and do it; you won't cause any lasting problems and it's better to err on the side of caution.
Finally, be on the lookout for any apps that 'has full access to your Google Account'. This is an extremely powerful level of access, allowing the app to do ANYTHING to your account, other than change your password, delete your account, or make payments with Google Wallet. Think of 'full access' like a set of keys to your house, your car, your bike lock, your safe deposit box, and your office: you'd only give that key ring to someone you really trust.
Not many apps need (or deserve) that level of access, so give extra scrutiny to any app with full account access. Once you're finished reviewing your apps, click DONE.
5. Last but not least, take a look at your Gmail settings. Normally, there shouldn't be much of interest to show here. Keep your eyes open, however, for mail forwarding or account delegation settings that look odd. If someone nefarious did gain access to your account, they might tinker with your mail settings and those changes would show up in final component of the Security Checkup.
Once you're finished, you can sit back smugly knowing that you've just made your digital life more secure. It's important to remember, however, that security isn't a one-time checklist, it's an ongoing process, I'd suggest running the Security Checkup every few months. I just put a reminder on my calendar that pops up every three months.