Gmail only asks for user credentials on first login, and that login session can last for weeks at a time. This is not as secure as you might hope, so even if you’re already logged in, Gmail will immediately start posting his 2FA challenge when you try to access “sensitive” settings. From the report: New protected settings are for filters, account forwarding, and IMAP. Soon, fiddling with any of these options will launch his 2FA prompt for “verify your identity” and require you to pass a challenge on your phone (these settings are only available on his web). If this his 2FA challenge fails or is not answered, you will get a bright red “Critical Security Warning” popup warning you that this challenge has been made on all your trusted devices.