As our digital footprint expands and we have an increasing number of applications and social networks underpinned by just one email account we put ourselves at great risk for an online attack or data breach. One’s credentials for that single email account can provide access to dozens of accounts from social media networks, bank accounts, even our phone’s current geolocation information.
A study by Google names credential leaking and phishing as two of the most prevalent ways users fall prey and the most destructive; with some data breaches lasting years before the target even realizes their data has been stolen. Highly visible hijacking incidents include attacks on journalists, politicians, and government officials.
It follows that protecting that single account underpinning all the others can help mitigate your digital environments being compromised, and one of the simplest ways to do that is through Two Factor Authentication, also known as 2FA.
What is Two Factor Authentication (2FA)?
Two Factor Authentication is the process of adding additional security, often in the form of a physical device or unique key, when logging into your accounts. Google and Gsuite accounts make 2FA available through their own application called Google Authenticator, but it can also be achieved through third-party apps like Authy or 1Password, among others.
In this article, we’re going to show you how you can secure your Google Gsuite Gmail accounts from an administrative view and the end-user view.
If you're a user wanting to setup 2-Step verification on your own account read on. If you're an admin wanting to provision the admin console for all your users, you can skip to this section.
2FA for Google GSuite Gmail Accounts
Turning on two-factor authentication for your google account should take two minutes or less to complete.
While logged into your google account view your profile icon at top right. Click your icon and choose “Manage your google account” button in the dropdown.
Select “Security” in the navigation bar. Note: Google often changes where this choice is found. Sometimes it’s above the icon, sometimes to the left in a menu.
Visit the section for signing into google, which will look like this:
Click on the heading for 2-Step Verification. You’ll be asked to sign into your account again. Provide your password and continue. You’ll be presented with a quick overview of the process. Click “Get Started” to begin.
The available authentication options you’ll see on the next screen represent the login options allowed for your account which are set by your G suite administrator. They typically include authenticating with a physical device like your iPhone or android device, using a physical security key, or a text/voice message.
If you’ve been using your phone with your google account chance are it’s already paired for usage as two step authentication. If so, you’ll see it listed like this:
Using the Google prompt is the quickest way to authenticate your phone. When you login, it pops a message on your mobile device and asks if the login was you. You click “Yes” on that button and you’re authenticated.
Your device will be listed in this area if you have logged into your google account using your phone or mobile device anytime in the last 28 days. Most modern phones allow you to add your google account. You’ll need to check your phone settings for how to do that if your phone is not listed here.
If you’re not able to attach your device to your google account you can choose another option. That link toward the bottom of this setting page will allow you to choose a security key or text/voice message.
The easiest option here is to choose “Text Message or Voice Call.” You’ll see this screen:
Enter a phone number and choose the method you prefer, text or phone call, then click next. Google will text or call you with a code. Enter that code when prompted.
The final step will be to turn on authentication by clicking the “Turn On” link.
You’ll be brought back to the authentication settings screen and shown all the ways you are able to authenticate into your google account.
At this point, it’s a good idea to add additional authentication methods in case your phone dies and you can’t get texts or don’t have your phone on you at the moment.
I like using my 1Password app which is accessible on my computer and all other devices. For that method, you would choose AUTHENTICATOR APP in the list.
Once you choose setup under Authenticator App, a popup window will appear asking you to choose which device you have.
Choose your device and click next. Then you’ll be presented with a barcode you can scan with your authenticator app.
Check your authenticator app for instructions on how to scan barcodes with that app. Each one is slightly different.
Once you scan the barcode, your authenticator app will automatically give you a six digit code.
Click next on the google barcode setting. It will prompt you for that code. Enter the code and you’re all set. Remember, authenticator codes are valid for a short period of time, usually 30 seconds or less. If your code fails you may need to grab a new one. Your authenticator app will automatically reset it and give you another for use.
Each time you add a new method of authentication, Google will mark that as the default.
Again, the Google Prompt is the quickest and easiest way to authenticate. If this option is available to you, we recommend choosing it. Click the link for ADD GOOGLE PROMPT and you’ll see this popup:
Click “Get Started” and you’ll see this popup:
Again, if you’ve logged into your account with your phone over the past 28 days it will be listed here. If not, select “Use a different phone.” You’ll see a popup like this with simple instructions:
Follow the instructions for the device type you use. Once you’ve connected the Google App will recognize the login and bring you back to the previous window.
Google will send a message to your screen and ask you to click “NEXT” to test.
Google will send a prompt to your phone that looks like this:
Click the button YES and you’ll be authenticated. Again, this is the easiest method as it does not require a separate app or adding codes.
You’ll be returned to the Google security settings with the new method set to default.
As a final method of security, we recommend you grab the backup codes which can be saved in a doc or on your phone or printed and used in a pinch if all your other devices are not handy.
Click setup and you’ll see a popup with 10 codes, each an eight-digit number. You’ll have the option to print or download the codes. Keep them in a safe place. You can also access them again here in your security settings.
Congratulations, Google’s 2-Step Authentication is now setup!
If you’re a google administrator you can read the following section which will tell you how to set up 2-factor authentication for your entire organization, how to require it’s usage, and how to check who is using it or not using it currently.
2FA for Google GSuite Administrators
Two Factor authentication can be turned on through any user’s Google account settings, but its use can also be required by the Gsuite administrator through the Gsuite admin panel.
Authenticate into your admin panel at admin.google.com. Choose the Security Icon.
Google calls the setting 2 Step Verification or 2SV, which you’ll see at the top of the basic admin list inside security settings.
Make sure the checkbox for “Allow users to turn on 2-step verification” is selected.
Then click on “Go to advanced settings to enforce 2-step verification >>.”
To start, your settings will look like this:
You can choose to start enforcement on a specific date or turn it on now. Turning it on now will lock out any existing users who do not currently have 2SV turned on. That’s why Google makes the next setting available which gives your users a window of time to enable it.
I usually set that period to one-week and send an email to our users letting them know they have one week to enable 2-factor authentication before they are locked out of their accounts and will need admin support to reset. You can view the enrollment report to see which of your users, if any, are currently using 2FA. This will help you identify which users need an email reminder.
In the next setting, you’ll be able to select the methods your users can employ for 2SV. I usually set this to ANY, allowing users the widest range of adoption. You can secure the account further by using the “Any excep…” or “Only security key” settings, which are more restrictive and can require physical devices.
The final setting is the frequency with which your account will require authentication. The first setting is default and it allows users to tell Google to trust the device they use for 2-step verification for a period of time before they need to re-authenticate.
The default period of time is 30 days, after which the user will be forced to re-authenticate a single device when they log in. Currently, this time period cannot be edited - it is set by Google.
The second radio button “Do not allow…” will force your users to re-authenticate with 2SV every time they login. This is obviously more secure but can be a hassle for those who login to different accounts multiple times per day. As an administrator, you’ll need to weigh the level of security with risk for your organization and choose the most appropriate setting here.
When you’re done with the settings, click “SAVE” and you’ll be returned to your authentication settings screen.
Take a moment to write an email now to your users explaining that you’ll be introducing 2 Step Verification, along with the steps they need to follow to add 2SV to their accounts.
Of course, you can just share this article!