DEV Community

Cover image for Google Workspace Security Part 1: Common Security Settings and 2SV
Andrew Despres
Andrew Despres

Posted on

Google Workspace Security Part 1: Common Security Settings and 2SV

Preamble:
This space will be utilized to synthesize my notes and help improve my learning process while I study for the Google Workspace Professional Administrator certification. I will be doing a similar process for other certifications I work on in the future. Please follow along for Google Workspace notes and feel free to ask any questions or, if I get something wrong, offer suggestions to correct any mistakes.

Configure common security settings

2-Step Verification, AKA 2SV or 2Factor Authentication (2FA), adds an extra layer of protecting for your users accounts by requiring them to provide an additional form of authentication. These 2 form factors of authentication can be:

  1. Something you know like a password
  2. Something you have like a cell phone or secondary email address
  3. Something you are like a finger print or iris scan

2SV is the single most important thing you can do to help secure your users Google Workspace accounts. It is best practice to utilize 2 of these 3 forms of authentication. Do not have 2 passwords for example as that is just 2 examples of something you know. Instead, utilize a something you know (password) with something you have (Authenticator app).

NOTE It is also recommended not to use SMS messaging any longer as a second factor for authentication because of the rise of SIM swapping attacks.

To allow users within your Google Workspace tenant to enable 2SV go to:

Go to Security> Authentication> 2-step Verification

Authentication Section in the Google Workspace Admin Panel

Please note that this will only enable 2SV for your users and will not automatically enroll them into 2SV. Users will need to enroll their account themselves. I will discuss methods to deploy 2SV a little later.

As a Google Workspace Administrator you can manage password policies for your users in your tenant. You can access these policies by going to:

Security> Overview> Password Management

These policies include:

Enforce strong passwords
Strength and length enforcement
Password reuse policy and others

Password Management Policies in the Admin Panel

Password/account recovery can also be configured for you. You may want to only allow Super Admins to recover accounts for your users. Alternatively, you can allow users to recover their own accounts by using any recovery information they have provided such as phone number or recovery email address. You can also choose to configure whether Super Admins can recover their own account, or, require another Super Admin to perform account recovery.

NOTE Password recovery is NOT possible if you utilize Single-Sign On (SSO).

NOTE Any users that have setup 2SV can only utilize email for account recovery

Account Recovery Options in the Admin Panel

Enforce and Deploy 2-Step Verification (2SV) and enroll

I will now explore how to enforce and deploy 2SV. You can find these settings by going to:

Go to Security> Overview> 2-step Verification

When deploying 2SV you can either deploy it by selecting the top OU of your tenant and every user will be required to enroll, or, you can affect a subset of users by selecting a specific OU or Group. Once you have your users selected you can then choose to have an "effective date". This means that your users will be prompted to enroll in 2SV by a certain date. Your effective date can be setup for up to 6 months in advanced. Before deploying and enforcing 2SV it would be prudent to inform your users as to what 2SV is and why its important. Below is an example of what your users will see when they log into their Google Workspace account during this enforcement period:

Example of what users will see during the 2SV enforcement period

As a Google Workspace Administrator you can configure which methods of 2SV are available to your users.

Methods of 2SV that users can select can be configured by a Super Admin

Below are some examples of what users can utilize:

  1. Backup codes: Print a set of codes to user in the event you are using a security key and you lose it.
  2. Google Prompts: Get a prompt on your phone where you can tap Yes to sign it.
  3. Authenticator App: Use an Authenticator app to get revolving verification codes.
  4. Backup phone: Use a backup phoen so you can still sign in if you lose your phone.
  5. Security key: Use a security key which is a small physical device used for signing in like a Yubikey or Titankey.

Now that your users have enabled 2SV for their accounts, as a Super Admin you can now generate Backup Verification Codes in the Admin Panel. You can find these codes by:

  1. Selecting the user in Users> Directory in the Admin Panel
  2. Go to the Security Tab> 2-Step Verification

From the Users Security Tab, a Super Admin can generate backup codes

Review a Userโ€™s Security Settings

You can review an individual users security settings in Google Workspace. You can do this via the users security card. You can view the following information about the users security settings:

  1. Reset the users password
  2. View the security key for the account. You may also add a security key to the account.
  3. 2SV status of the user
  4. Edit the recovery information of the account
  5. Force a password change
  6. Temporarily disable login challenges. If there are suspicious login sessions for a user they will be asked to re-verify their identity. If verification cannot be completed the account will end up locked. As a super admin, you can temporarily disable login challenges for 10 minutes to allow the user to sign in.
  7. Reset the sign-in cookies of the account
  8. Review and revoke application specific passwords
  9. View and remove access to third-party applications like Marketplace apps.

NOTE Users can also view and manage their own account security settings from myaccount.google.com

Configure session controls

As a Super Admin for your Google Workspace tenant you can configure how long a user can access Google Services for one session. Sessions can range in time from 1 hour to indefinite. By default the session length is 14 days. These settings can be overridden by OU if you require different users to have longer or shorter sessions. This can be done by going to:

Security> Overview> Google Session Control

Session Controls that a Super Admin can configure

This will conclude part 1 of Google Workspace Security. Part 2 I will go through some basics with SSO, Admin SDKs and APIs as well as managing connected apps. Thanks for coming on the journey with me. As mentioned above, if you have any questions for me or if I made a mistake, please leave me a comment and I would love to correct it or answer your question.

Until next time everyone!

Top comments (0)