Gmail is adding additional layers of security, requiring users to verify their identity before allowing potentially sensitive changes.

Some Gmail settings and actions could make it easier for a bad actor to hijack an account. Examples include setting up a forwarding email address in the POP/IMAP settings; creating, editing, and importing filters; and enabling IMAP access.

Google says it will analyze such requests and ask for verification if the session is suspicious:

When these actions are taken, Google will evaluate the session attempting the action, and if it’s deemed risky, it will be challenged with a “Verify it’s you” prompt. Through a second and trusted factor, such as a 2-step verification code, users can confirm the validity of the action. If a verification challenge is failed or not completed, users are sent a “Critical security alert” notification on trusted devices.