This week, Google announced a new security feature for Google account users who work on Chrome for browsing the Internet. The new sign-in feature asks users to verify that the account they are using is their own account. The search giant says that this is designed to prevent anyone from quietly signing into a Google account that may be owned by a malicious third party.
The move by Google is essentially meant to secure third-party logins, such as those performed by SAML single sign-on (SSO). From May 7, after signing in on a SAML provider’s website, the users will see a new screen on the Google’s site, to confirm their identity. Google says in a G Suite Updates blog, this screen will provide an additional layer of security and help prevent users from unknowingly signing in to an account created and controlled by an attacker.
Google stated that it will only show the feature once per account per device to minimise disruption for the user. It said, “We’re working on ways to make the feature even more context-aware in the future, meaning your users should see the screen less and less over time.”
For phishing attacks, the new screen will prevent would-be attackers from tricking a user into clicking a link that would sign them into a Google Account that the attacker controls. Google says, “Today, this can be done via SAML single sign-on (SSO), because it doesn’t require a user interaction to complete a sign-in. To protect Chrome users, we’ve added this extra protection.”
Google says that the new security feature is part of its plans to create a consistent identity for users across Google web services such as Gmail and native Chrome browser services such as Chrome Sync. It will make it easier for signed-in G Suite users to take advantage of native Chrome browser features, but with additional protection during authentication.
Notably, you can also disable the new screen. For that, you will have to use the ‘X-GoogApps-AllowedDomains HTTP header’ to identify specific domains whose users can access Google services. Then, the header can be set in Chrome via the ‘AllowedDomainsForApps group policy’.