VPNs are a wholly legitimate way to use the Internet. The onus should never be on a legitimate user to disengage measures that they've taken for their privacy and safety.
In this case, the user has already authenticated with three factors(!). Framing potential VPN use as "suspicious" normalizes a more locked down, surveilled web with fewer rights for humans. We shouldn't be pushing that direction.
While I agree in this specific case, in general, the idea that privacy and safety measures trump all other factors is poorly thought out. What if, for my privacy and safety, I don't want to log into my account to view a specific piece of content? It ignores the reality and impacts of bot activity. And like, what if you paid the for the content? Obviously you have to sign in to view it.
Although maybe you didn't mean to make such a strong statement.
Using a VPN is not even the suspicious part. Using a public network (e.g. hotel Wi-Fi) can make you equally suspicious, in that case you would actually need to have a VPN to your home network to erase suspicion. So it's not about using VPN, it's about not making yourself easily trackable and surveillable
I don't know for sure but I personally doubt that hotel wifi has the same strength as a suspicion signal that VPN exit nodes have. Some normal users use global VPNs. Every criminal uses a global VPN. That is the problem.
Also, just to point it out, logging in at all is a bit suspicious. Normal users rarely do it. You authenticate to Google on your mobile and that's it, you never do it again.
All lot of these other comments are talking about policy and principals but I am just trying to help the OP by taking their question at face value. Their goal seems to be to login to Gmail.
And with a workspace account you can express that preference to Google. But the fact remains that 99.5% of the people who suddenly switch their login traffic from US to Romania or whatever have been hacked and your aesthetic beliefs about supposed rights strongly conflicts with what humans actually want.
>But the fact remains that 99.5% of the people who suddenly switch their login traffic from US to Romania or whatever have been hacked
Why wouldn't a 2-factor or a recovery email sent to another address be enough to refute this?
If you can hack someone's device, it's not that much more difficult to tunnel the connection through a residential VPN. If you can't hack their device, then you can't get 2-factor codes or access their other accounts.
In this case, the user has already authenticated with three factors(!). Framing potential VPN use as "suspicious" normalizes a more locked down, surveilled web with fewer rights for humans. We shouldn't be pushing that direction.