Press ESC to close

Gmail Security in 2025: Two-Factor Protection, Encryption, and More Tricks

Read in SlovakRead in Czech

Email remains the most common target for attacks, and Gmail—with over 1.8 billion active accounts—continues to be the most tempting target. In 2025, we’re seeing a rise in stolen sign-in tokens, sophisticated phishing campaigns, and attacks that bypass classic two-factor authentication. Google, however, isn’t standing still and is rolling out a series of updates that make Gmail one of the most secure free email platforms.

The biggest threats to Gmail in 2025

Attackers are increasingly stealing so-called session cookies—files that keep a user signed in even after successful two-factor verification. That’s why Google is introducing a new technology, Device Bound Session Credentials (DBSC), which ties the cookie to a specific device, turning a stolen file into a useless artifact (The Verge).

2-Step Verification: the essential baseline

Back in 2021, Google automatically enabled 2-Step Verification (2SV) for another 150 million accounts—and the number keeps growing. If you still haven’t activated 2SV, your account is low-hanging fruit for attackers. The basics include Google Authenticator, SMS codes, or tap-to-approve prompts on your phone, but the trend is moving toward methods that don’t rely on one-time codes.

Passkeys: the passwordless future

Passkeys combine FIDO2 cryptography with biometrics or a PIN. The result is faster, phishing-resistant sign-in. Google says that in under a year they authenticated users more than one billion times, and 400 million accounts already have passkeys enabled; on an average day, passkeys now outperform traditional SMS and TOTP codes (blog.google). You can create a passkey at myaccount.google.com/passkey.

Security keys & Advanced Protection

Journalists, activists, and political campaigns can opt for the Advanced Protection Program (APP). New for 2025 is the ability to add a passkey to APP as well—not just physical USB/NFC keys—which makes it easier to protect high-risk accounts without additional hardware costs (blog.google).

DBSC: the most effective defense against session cookie theft

Token-stealing attacks have bypassed two-factor authentication because criminals were working with a “live” session. DBSC binds each token to a specific TPM chip or Secure Enclave on the device. The feature is in beta for Chrome on Windows, and Google has indicated it will expand to other platforms during 2025 (The Verge). Workspace admins should enable DBSC right away and also enforce passkeys for the 11 million business customers who already have them available.

Encryption on three levels

  1. TLS by default – Gmail automatically encrypts the connection; as of May 2025 it stopped accepting the outdated 3DES algorithm (inbound), removing the last common weakness of older servers (Google Support).
  2. S/MIME (hosted and customer-managed certificates) – suitable for companies that need control over keys and digital signing.
  3. Client-side encryption (CSE) – Gmail Enterprise Plus now allows users to upload their own certificates from PIV/CAC keys directly in settings. No admin intervention is required, and the entire message content (body and attachments) remains unreadable even to Google (Workspace Updates Blog).

Confidential Mode and other built-in tools

Confidential Mode (expiration + optional SMS passcode) received a more sensitive anti-screenshot filter in 2024. If you’re sending contracts or sensitive information externally, it’s a quick solution without the need for CSE. Don’t forget Security Checkup as well, reviewing signed-in devices and removing access for apps you no longer need.

Practical settings you can do in 5 minutes

  • Enable a passkey and keep traditional 2SV only as a backup.
  • In Manage your Google Account → Security select “Security Checkup” and remove outdated access.
  • In Gmail Labs, enable “External Label” — it warns you when an email comes from outside.
  • Set up App Passwords only where you truly need them (older IMAP clients).
  • Turn on Spoofing & Authentication Icons (BIMI) to more easily spot spoofed domains.

Video: How to set up a Google passkey (tutorial)

A one-minute overview of the steps from creation to backup.

Video: Client-side encryption in Gmail — why it’s worth it

A free discussion with security experts on who CSE is suitable for.

Sources

  1. Google Blog – Passkeys, Cross-Account Protection and new ways we’re protecting your accounts (May 2 2024): https://blog.google/technology/safety-security/google-passkeys-update-april-2024/
  2. Google Workspace Updates – Hardware Key Certificate Management for client-side encryption in Gmail (June 30 2025): https://workspaceupdates.googleblog.com/2025/06/hardware-key-certificate-management-for-client-side-encryption-in-gmail.html
  3. The Verge – Google Workspace is rolling out a security update to stop token stealing attacks (July 29 2025): https://www.theverge.com/news/715117/google-workspace-dbsc-cookie-stealing-attack
  4. Google Support – Ciphers for Gmail SMTP TLS connections (updated May 2025): https://support.google.com/a/answer/9795993?hl=en

Jana

I like turning curiosity into words, and writing articles is my way of capturing ideas before they slip away — and sharing them with anyone who feels like reading.

- Sponsored -

Tags

money Stranger Things Gaten Matarazzo murderer Netflix Bobby Brown Caleb McLaughlin Sadie Sink Joe Keery Charlie Heaton Maya Hawke Jim Hopper Joyce Byers Natalia Dyer Finn Wolfhard murder

About us

offpitch.space brings independent, fact-based articles about technology, history, and true crime stories. Our goal is to provide readers with verified information in a freely accessible form.
Cookie Policy Privacy Policy
Editorial Guidelines

Contact

General Information

info@offpitch.space

Content tip

team@offpitch.space

Facebook

facebook.com/pitchoviny.sk/

More contacts