How secure is Gmail?

A smartphone on a keyboard showing the Gmail loading screen
(Image credit: Getty Images)

One of the biggest questions in the realm of information security centres on how secure Gmail is, and how much the platform respects user privacy.

Simply put, Gmail is as secure as the steps you take to secure your Google account, and your awareness of incoming risk, allow. As for privacy, it’s a little more complicated.

We break down how to secure your Gmail account, and the steps you can take to block email marketing trackers and bolster your privacy as much as possible.

Implementing 2FA

For most, Google account security comes down to ensuring you use a unique and strong password, and whether or not you have two-factor authentication (2FA) in place.

Twitter recently published a transparency report that revealed only 2.3% of active accounts have 2FA enabled, and of those users the vast majority were employing SMS-based 2FA. That's the least secure option, but still better than nothing. Hardly anyone, 0.5%, was using a hardware security key, while under a third (30.9%) of responders used an authenticator app.

Google offers multiple types of 2FA. The first is by voice or text message, which we wouldn’t recommend as it's the easiest option for a cyber criminal to overcome thanks to the relative simplicity of a SIM-swap attack. It’s better than nothing, again, and most people won't enter the threat radar where such an attack is likely anyway.

The second option involves Google prompts being sent to another device you're signed in on. This avoids the SIM-swap vulnerability by requiring an attacker to be in possession of the device. There’s also the use of authentication codes churned out by Google Authenticator.

We recommend using both: one as your default and the other for those times when that option isn't available to you for whatever reason. You will also get a set of ten-digit single-use codes that you can store somewhere safe as another backup for signing into your account in an emergency.

The final option is the most secure, but can be expensive and more intrusive on the user experience: a security key. These keys are either of the hardware variety, such as a YubiKey or Google's own Titan key, but can also come built into your smartphone. The use of a security key is mandatory if you are enrolled in the Advanced Protection programme at Google, for accounts that are at a greater risk of targeted attack.

Consider how the Google ecosystem wraps multiple aspects of your online life by collecting all kinds of data – email, web, personal assistants, the list goes on – and that means access to your core account is a highly prized target for cyber criminals.

Access to your Google account gives access to Gmail, which gives access to password resets, which gives access to, well, almost everything.

Perform a security checkup

It's a good idea to perform a security check-up regularly, and Google makes that easy. Just visit the security section under manage your account: security-checkup. This lets you remove account access from non- essential apps. You should also keep your OS, browsers, and apps up-to-date and remove any browser extensions and apps you no longer use.

What about the privacy issue? There's functionality that’s one of the big draws for users; such as adding delivery confirmation email data to Google Calendar. So, how worried should you be? That depends on your aversion to the collection of such data and the importance of the functionality it enables.

Google will say, rightly, that what it collects is mostly metadata more than anything. What's more, Google will also assure users that, for example, the data found from those automated email scans isn't used for advertising purposes.

According to Google CEO, Sundar Pichai, "we don't sell your information to anyone, and we don't use information in apps where you primarily store personal content – such as Gmail, Drive, Calendar and Photos – for advertising purposes, period".

Moving to another email provider, such as Outlook.com, may not be the answer you're looking for either, as metadata collection and user activity data are employed almost universally. Sure, there are niche providers that are more privacy-focused, but you lose the type of cross-application functionality that drove you to Gmail in the first place.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.