It happens all the time. A familiar sign-in window pops up on your screen, asking for your account password to enable you open a document or access emails. It happens so often we no longer notice and simply go through the motions on autopilot. But Google warns this is dangerous and needs to stop before you lose your account.

Most Gmail users “still rely on older sign-in methods like passwords and two-factor authentication (2FA),” Google warns, despite the FBI reporting that “online scams raked in a record $16.6 billion last year — up 33% in just one year — and are growing more sophisticated.” That means you’re less likely to spot an attack until it’s too late.

ForbesSamsung’s Galaxy Upgrade Just Made Android More Like iPhone

When I first covered Google’s alarming new stats, the company told me the warning to upgrade accounts is right, but needs to go further. This is about more than Gmail, it’s about all the accounts that can be accessed with a Google sign-in. But Gmail is the most prized, because your email account opens up access to so much more.

And less than a month later we have a frightening new proof point as to exactly why accounts that are protected by passwords and even 2FA are at such risk. Okta warns threat actors are now “abusing v0 — a breakthrough GenAI tool created by Vercelopens to develop phishing sites that impersonate legitimate sign-in webpages.”

That’s why Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That means upgrading the security on your Google Account to add a passkey. This stops attackers accessing your account, because the passkey is linked to your own devices and can can’t be stolen or bypassed. Most Gmail users still don’t have passkeys — but all must add them as soon as possible.

Okta says this “signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts.” If you’re willing to use your password, you’re at risk.

And that’s the second part of this warning. Upgrading your account with a passkey only helps secure that account if you change your behavior as well. No more entering a password when prompted — only use your passkey. And if that’s not possible, make sure your account uses a different form of 2FA to SMS codes. An authenticator app is best.

Okta warns ”today’s threat actors are actively experimenting with and weaponizing leading GenAI tools to streamline and enhance their phishing capabilities. The use of a platform like Vercel’s v0.dev allows emerging threat actors to rapidly produce high-quality, deceptive phishing pages, increasing the speed and scale of their operations.”

Passkeys are phishing resistant. That’s why Microsoft is going even further than Google, actively pushing users to delete passwords altogether and removing them from its own Authenticator app, and will now limit that app to passkeys only.

ForbesMicrosoft Warns 400 Million Windows Users—Upgrade Your PC NowBy Zak Doffman

This is just the beginning of the new AI-fueled attacks that will fast become the norm. Attackers are playing with these new tools, and that’s changing the game. You need to ensure that all your key accounts are fully protected — it’s a change you should make today, not some time soon when you get around to it.

“We build advanced, automatic protections directly into Google’s products,” the company says, “so security is something you don’t have to think about.” But if you’re still securing those products with a password — the digital equivalent of a flimsy $5 padlock, then you are playing into the hands of those attackers.

It takes a few seconds and can be done directly from here.

Add your passkey now.