With the many ransomware and other hacks, it’s pretty clear that having more end-user security in addition to other things is vital. But the convenience of the password is still very high, but it’s time for even small organizations to tighten things up particularly if you have customer data floating around somewhere (not to mention your code and email). So here’s the guide from Google which amazingly is more or less right:
Google Workspace Mandatory Warning
This is actually pretty easy, if you are a Google Administrator (note make sure you have at least two of these and we also have an account we never use which is the third). So what you have to do:
- Enable 2FV for all your users by going to Admin > Security > Authentication > 2-step verification. In that page, enable Allow users to turn on 2-Step Verification and make sure Enforcement is Off and Save.
- Warn your users, they need to have 2FA enabled before you make it mandatory. Email, discord, smoke signals, whatever it takes 🙂 They do this in their own Google Account where they enable their own 2FV Verification
- You can look at workspace.google.com console at the Users entry and see who has 2FA enabled. This is a column you can add to the user view or in Reporting > User Report > Security > Add new column and add the 2FV. If you have a lot of users, the Security > Security center > Security health and search for two-step verification
- Yes, you do have to browbeat people because once you turn on mandatory, it is a true pain to get them running
Enable 2FA Mandatory with warning
So now you have the recalcitrants with 2FA, you can then enable mandatory 2FA by a date, and around that time, if someone tries to log in without it, then it will fail. That is sort of what you want with Security > Authentication > 2-step verification > Allow users to turn on 2-Step Verification > Enforcement > Turn on enforcement from data
What if someone forgets?
If someone forgets, then the solution is that an admin can go into the user list and generate a recovery code and they can use this for one time:
- Give them the recovery code
- They can use this when they login
- They must enable 2FA otherwise, you will have to this again and again
If they are recalcitrant (or the boss), you can create an Organizational Group where 2FV is not enforced, but that’s kind of a (necessary!) cop out.
Leave a Reply