These days, passwords alone aren’t sufficient to protect your online identity. Second Factor Authentication (2FA), also called two-step verification within Google products, has become part of security hygiene, and we recommend enabling it for all of your users.
Which 2FA methods does Google support?
- SMS & Voice codes; these involve receiving one-time-use passcodes, either as an SMS text or an automated voice call
- Back-up codes; these are one-time passwords that can be printed by the user. The printout can be taken to places where other forms such as a phone, cannot be taken in
- App-based OTP’s & mobile push; these use an app to generate a one-time-password (OTP) to validate the user’s identity
- FIDO U2F keys; these are in a separate category by themselves. They were pioneered at Google & designed from the ground up to be resistant to phishing
Using any of these supported 2FA methods increases the security of your user accounts. However, not all of them have the same security properties.
From a security perspective, these methods fall into three buckets:
- SMS & Voice codes are the most insecure among these options. These methods are vulnerable to what is known as SIM swap attacks, and the SS7 protocol itself has some long-standing vulnerabilities. In addition to this, SMS codes can be phished.
- Back-up codes, TOTP - based authenticator apps & mobile push fall into the second category. All of these methods can be phished. Unfortunately, the increased availability of phishing kits on the internet makes these methods unsuitable for your highest-risk users.
- FIDO-based U2F keys, which are designed to be phishing resistant, are the answer to your phishing problems!
As an admin, you have the opportunity to categorise your users into one of the three buckets, and apply the appropriate policies in the admin console.
How to implement a 2FA policy as an admin?
As an admin, you can have three organisational units in your console: one for all of your users, one for your medium-risk users, and one for your high-risk users. Once you have established this, you can enforce user 2FA for all of your users, prevent SMS for your medium-risk users, and enforce the use of security keys for your high-risk users.
A step-by-step guide
- First, you need to find the Security Settings page. You can do this by using the navigation menu on the side.
- On this page you will find the 2FA settings. There, you will see a familiar organisational unit tree on the left hand side. Going with the scenario above, your decision is to enforce the use of any 2FA for your entire organisation. To achieve this you select the organisational unit on the left, and click ‘Turn on enforcement from date…’, and select an appropriate date. This gives your users time to enrol their second-factors. Once this date is reached, if there are users that haven’t completed the process for their accounts, they will be locked out. Remember to ‘Save’.
- To enforce the use of 2FA, excluding SMS, for a medium-risk organisational unit, you will first need to click ‘Turn on enforcement from date…’ and select the option ‘Any except verification codes via text, phone call’. Then click ‘Save’.
- Finally, to enforce user security keys for high-risk users, select ‘Turn on enforcement from date…’ and then the ‘Only security keys’ option.
Once this is finalised, Google will send a notification email indicating that their organisational admin has enforced their 2FA settings and they have to enrol the appropriate method into their account before the prescribed date.
The Advanced Protection Program
The Advanced Protection Program was launched in 2017 to protect consumer Google accounts and it is now available for Enterprise accounts as well. The program consists of high-security settings, including the enforcement of security keys and preventing unauthorised third party applications from accessing the user account data.
You can apply these policies to your enterprise user accounts through your security settings page, by navigating down to a new card called ‘Advanced Protection Program’. There you can select one of the organisational units on the left panel to allow users to self-enrol into the program.
In summary, the Advanced Protection Program is a convenient way for you to apply a bundle of high-security settings to your most vulnerable user accounts. More information can be found here.
If you are ever concerned about the security of your G Suite domain, speak to our team of experts on +44 (0) 161 871 0330. We run G Suite Security Workshops that can help to improve your G Suite Security Posture!