Implement User Security and 2-Step Verification
Learning Objectives
After completing this unit, you’ll be able to:
- Enforce 2-step Verification.
- Implement timeframes in which users access Workspace services.
Manage User Security Settings
As a part of security best practice, it’s recommended that you view and manage the security settings for your users in the admin console to reinforce and monitor the security of their Google accounts. Ensure you’re enforcing best practices by viewing your users' security settings.
- If you aren't already signed in, sign in to your domain as the administrator at
admin.google.com
. - Click the Users icon.
- Locate Alex Bell in the user list and click his name.
- Then, click the Security card.
From here, you can:
- Reset Alex’s password.
- View the security keys enrolled by Alex.
- Add a key to his account. Under normal circumstances, a user must enroll in 2SV themselves, but if you (as the administrator) add a security key for the user, they're automatically enrolled.
- Determine if Alex has enrolled in 2SV.
- Edit Alex's account recovery information.
- Require a password change.
- Temporarily disable the login challenge. If there was a suspicious login session on a user’s account, they’re asked to verify their identity. If the authorized user can’t verify their identity, they’re locked out of their account. As the administrator, you can temporarily disable the login challenge (for 10 minutes) to allow the user to sign in.
- Reset Alex’s sign-in cookies. This signs the user out of all devices and browsers. This is useful if the user loses their phone as a primary measure of protection.
- View and revoke application-specific passwords. If your users use 2SV and need to sign in to apps or devices that don’t accept verification codes, they need application-specific passwords (ASPs) to access those apps. From the user’s security card you can view their apps and remove an app’s access to data. Note: This doesn’t stop the user from using the app in the future. To prevent that, you should set up an app’s allow list. This is covered later.
- View and remove access to third-party applications, for example Google Workspa Marketplace apps.
Enforce 2-step Verification (2SV) and Enroll
In an earlier exercise, you allowed your users to enroll in 2SV. Your company has decided to try out the 2SV feature, so it’s time to set up 2SV at the OU level. ‌ Your company has established a policy that all managers must set up 2SV. Your job is to enforce 2SV for them. In this pilot, you allow any 2SV method to be applied. You can review this later and enforce the use of security keys as these are the most secure.
- Sign in to your domain as the administrator at admin.google.com.
- Click the Security icon.
- Scroll down and click 2-step Verification. Note: You can enforce 2SV now or choose a specific date. If you choose a date, users see reminders to enroll in 2SV when they sign in.
- Click the Executive OU (left side of the page).
- Under Enforcement, choose On from, and use the date picker to choose an enforcement date. It’s a good idea to select a date between 2 and 4 weeks from now. It's important to understand that users who haven't enrolled by the enforcement date will be locked out of their accounts, so give enough time for everyone to enroll. You can check enrollment status by viewing the Enrollment report in your admin console. The report can take 48 hours to update, but you can always check an individual user's enrollment status from their user's security settings card on their profile.
- Scroll down and ensure that Methods is set to Any, then click SAVE.
At this point, send instructions to your users advising them how to enroll in 2SV. For this exercise, let's play the part of someone in the Executive OU and see how easy it is to enroll.
Enroll in 2SV (Optional)
Now that you've enabled enforcement in 2SV, users in the Executive OU will see a notice each time they log in and receive reminder emails until they enroll. Let's verify that it works and enroll as one of the executives. The following steps are optional if you don't have a phone available or if you prefer not to enroll a user using your phone number.
- Sign out and sign back in to Google Workspace at mail.google.com as timothy.lee@yourdomain. After you enter your password, you'll see a new prompt informing you that your organization is enforcing 2SV. You have the option of enrolling now or later.
- Click ENROLL and reenter your password.
- You’re asked to set up your phone. Enter your phone number into the box provided.
- Then, choose how you want to receive codes (via text message or phone call) and click NEXT.
- At this point, you receive a call or a text from Google. Enter the code provided into the code field and click NEXT.
- You should see a confirmation that the code was accepted. To enroll, click TURN ON. You're redirected to myaccount.google.com which informs you that your phone has been verified. You can also see secondary options listed, which you can set up now or later.
- Backup codes: Print a set of codes to be used in the event you are using a security key and you lose it.
- Google prompts: Get a Google prompt on your phone and just tap Yes to sign in.
- Authenticator app: Use the Authenticator app to get free verification codes, even when your phone is offline.
- Backup phone: Add a backup phone so you can still sign in if you lose your phone.
- Security Key: A small physical device used for signing in. It plugs into your computer's USB port.
- Backup codes: Print a set of codes to be used in the event you are using a security key and you lose it.
- Sign out and sign back in at mail.google.com as timothy.lee@yourdomain. After you enter your password, you should be prompted for a code, which is provided via text or a phone call. You can also be allowed to trust the device so you aren't asked again. This feature is controlled from the 2-step Verification settings page in the Admin console. Let's return to the admin console and view Timothy's profile.
- Sign in to your domain as the administrator at
admin.google.com
. - Click the Users icon.
- Locate Timothy Lee in the user list and click his name. On the security card, you can see that 2-step verification is ON for Timothy.
- Click the Security card.
- Click 2-step verification. This is where you can get backup codes for Timothy in the event he can't use his chosen 2SV method. You can also turn off 2SV for Timothy as the enforcement date has not yet been reached. Note that once the date has been reached, you won't be able to turn it off.
- Navigate to the 2SV enforcement options for the Executive OU and select enforce 2SV from now. Then go back to Timothy's security card and notice that the option to turn 2SV off is grayed out.
- Navigate to the 2SV enforcement options and disable 2SV enforcement, or set enforcement to a future date to ensure no one is locked out of their account.
When to Use Exception Groups for 2SV
What happens when you need to apply 2SV to only some members of an OU? You use exception groups. The following video expands on the use of exception groups and when you should use them.
Configure Sessions Controls
As an administrator, you can control how long users can access Google services, such as Gmail, without having to sign in again. You can set session lengths from 1 hour to indefinite so the session never expires. By default, the session length for Google services is 14 days.
If you want some users to have a different session length than others, you can move them to a separate OU and set the session length for that OU to meet your business requirements. Let’s learn how to reduce the session length for your contractors.
Your company provides laptops to off-site contractors and wants to ensure that someone leaving the device with an active Google Workspace session doesn't compromise the device. They've decided to require each contractor to sign in at least once a day.
- If you aren't already signed in, sign in to your domain as the administrator at
admin.google.com
. - Click the Security icon.
- Then scroll down and click Google session control.
- Click the Contractors OU (left side of the page).
- Set Session control to 8 hrs.
- Click OVERRIDE. This overrides the top-level organization's setting of 14 days.
In the next unit, you explore single sign-on (SSO) and the various options you have for implementing SSO via the Google Workspace admin console.