Your Google account connects your email, photos, documents, contacts, location history, and often your password recovery for dozens of other services. Fifteen minutes spent on its security settings is one of the highest-return uses of time in this space. Here’s exactly what to do.
Start at myaccount.google.com/security
Navigate there and run the Security Checkup at the top of the page. Google will walk you through a series of checks — recent activity, devices with access, recovery options, third-party apps — and flag anything that looks off. Do this first; it surfaces the obvious problems quickly.
Enable 2-Step Verification with an authenticator app
If you don’t have 2-Step Verification enabled, do this before anything else. Security → 2-Step Verification → Get started. Google will prompt you through setup.
Upgrade from SMS to an authenticator app if you’re currently using SMS codes. In the 2-Step Verification settings, look for “Authenticator app” and add it. Scan the QR code with Google Authenticator, Authy, or whatever app you use. After this, logging in requires both your password and a time-based code from the app — SMS codes can be intercepted via SIM swapping, authenticator codes can’t.
Consider adding a hardware security key (YubiKey, $25-55) as a second option if you want the strongest protection. Google accounts support FIDO2 hardware keys and they’re the most phishing-resistant 2FA method available.
Review devices with account access
Security → Your devices. This shows every device currently logged into your Google account. Look for anything unfamiliar — an old phone you no longer own, a computer you don’t recognize, a session from an unexpected location. Click on any suspicious device and choose “Sign out.” Then change your password.
If you see a device you used to own but no longer have, sign it out and consider whether it was disposed of securely. Old phones sold or donated without a factory reset retain access tokens that may still work.
Audit third-party apps with account access
Security → Third-party apps with account access. This lists every app and service that has been granted access to your Google account via Sign in with Google or OAuth. Review the list carefully. Revoke access for any app you no longer use, don’t recognize, or wouldn’t trust with access to your account data.
Pay attention to what level of access each app has. “Read your email” is significantly more invasive than “Know your email address.” Apps that have read access to Gmail — often granted when connecting a third-party email client or a service that processes email — can see your entire inbox.
Update recovery options
Security → Ways we can verify it’s you. Make sure your recovery email and recovery phone number are current. These are what Google uses to verify your identity if you’re locked out. If the email listed is one you no longer access or the phone number is old, update them now — before you need them.
Turn off less secure app access
Security → Less secure app access. If this is on, turn it off. It allows older apps that don’t support modern authentication to connect to Gmail, which weakens your account’s security posture. Modern apps all support OAuth — if something requires less secure app access, it’s outdated and should be replaced.
Review recent activity
At the bottom of the Gmail inbox, click “Details” next to “Last account activity.” This shows the IP addresses and locations of recent logins. If you see activity from a location you’ve never been, that’s a sign of unauthorized access — change your password immediately and review your recovery options for changes you didn’t make.
The bottom line
Run the Security Checkup. Enable 2FA with an authenticator app. Review devices and revoke anything unfamiliar. Audit third-party app access and remove anything you don’t need. Update recovery options. That’s the full 15 minutes, and it meaningfully hardens the account that most other accounts depend on for recovery.