This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Verification strategies for organizations?

Posted on 12-08-2023 07:03 PM
genesisa2
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Our org. does not want anyone using personal phone numbers or emails for verification of org. accounts.  Tried to set every account up with the same verification email and the same verification phone number (both controlled by the org.)  Set these in GWS for each user under "recovery information" and this was accepted for each.

However:

• when user needs to verify at login, they are never given option to use the email.  Can I allow this somehow?

• although as admin I set the recovery number as above, under each individual account, that number is unverified.  (was able to verify a few before google won't allow more).   So, is there a way to force verification from the GWS admin account?  (it doesn't even show that it is unverified from the admin console)

• if there is no resolution to either above, and the recovery # remains unverified from the individual account perspective, and that account needs to use that unverified # to ah, verify their own login, then what happens?  will it just be "good" forever?

• finally, as per title:  WTH do organizations do to keep the chain of verification in house, away from personal devices?  

0 5 685
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
christiannewman
Gold 1
Gold 1
Reply posted on --/--/---- --:-- AM

Hi there.

Recovery information is used for automated user account password recovery (via "forgot password" process) if your organization has that option enabled for users. I recommend it be disabled, so that users must request admin assistance with account recovery. Coincidentally, I recommend turning this off for super admins, as well - and using your Google Cloud Partner as their safety net, instead of exposing your most important account(s) to an automated password reset process bad actors can exploit.

For 2-step verification purposes, admins have the following options:

  • Any method (includes verification codes sent via text, phone call, where the phone number must be verified in order to enroll)
  • Any method except verification codes sent via text, phone call (includes authenticator app, backup codes, Google prompt notifications, and security keys)
  • Only security key

I recommend "only security key" (absolutely for admins, but strongly recommended for non-admins too) as it's by far the most secure option - and contrary to popular assumption, is not a hassle. This keeps the chain of verification away from personal devices, and you can revoke a security key from a problematic user's account instantly in the Admin Console.

If your organization chooses not to invest in security keys (~$50 each), then I recommend "any method except verification codes sent via text, phone call" and promoting "Google prompts" as it's the most convenient (single tap) method to sign-in. Authenticator apps are fairly easy, too, but do require a 6-digit code to be retrieved, and keyed in. Backup codes should be used only as backup. 

Verification codes sent via text, phone call are inherently poor methods of 2-step verification because they're inconvenient, easy for bad actors to socially-engineer access to, and sent over unencrypted mediums that are prone to SIM-swapping and number-porting schemes.

Is this information helpful? Feel free to reach out if I can be of more assistance.

Posted on --/--/---- --:-- AM
genesisa2
Bronze 2
Bronze 2
In response to christiannewman
Reply posted on --/--/---- --:-- AM

Hi Christian,

Thank you for your comprehensive response. This is my first time acting as an admin for GWS, so pls forgive newbie questions. (Sorry took a while to respond too, got caught up.) I'm supposed to get a call from tier II support soon, so if based on these comments you think there's anything to ask them, pls let me know.

• we are a nonprofit with almost no budget, I'm doing this work volunteer. No budget for anything related to this.

• most of the members are well into retirement (i.e., quite old) and resistant to change. Getting them to use an authenticator app will be nearly impossible but will try if I must.

• what is our Google Cloud Partner?

• So account "recovery information" isn't used for basic verification purposes (as opposed to password resets?) Because my experience so far shows that it is. If one of my users needs to verify, they are being sent a verification code recovery number I set for them in GWS Admin.  (And I know this because during setup -- I am acting as all of my users!)

• They are able to receive these verification codes by text, even if they themselves are unable to verify that recovery phone number within their own account.  (So far?? Will that be cut off at some point if they don't verify it? – because Google is rejecting them being able to so due to the same number being used by too many devices)

• at this point we are completely uninterested in turning on 2FA. (Our info is just not that sensitive to be worth the hassle of it.)  We find that we're prompted to verify with certain actions, even though we do not have 2FA enabled.

• In fact our goal is less security, than it is avoiding complications and roadblocks to logging in and full account access for users, while also avoiding the need for use of any personal devices for verification, while also having only one cell phone available.

• what are "google prompts"?  do they apply to the verification requirements as opposed to 2FA?

So given this followup, could you answer the specific questions and revise your advice?  Thank you so much!

0 Likes

Posted on --/--/---- --:-- AM
christiannewman
Gold 1
Gold 1
In response to genesisa2
Reply posted on --/--/---- --:-- AM

Google Cloud Partners are companies authorized by Google to implement, and support, Google Workspace, on their behalf. You can search for a Partner here.

"Recovery information" is only used for verification purposes in the event that Google decides to throw a sign-in challenge at them (based a possibly suspicious sign-in attempt), which happens more often in the absence of proper 2SV enrollment.

Google prompts is a method of 2SV that sends a notification ("was that you?") that users only need to tap "yes" to authenticate - no codes to fumble around with.

Posted on --/--/---- --:-- AM
genesisa2
Bronze 2
Bronze 2
In response to christiannewman
Reply posted on --/--/---- --:-- AM

Thanks again, Christian!  How does "Google Prompts" work? I saw it just yesterday when performing an action from an end-user account.  Just got that notification within the same account.  How does saying "yes" authenticate anything? If someone hacked into the account they would still be able to say "yes". 

Also -- how can it be turned on across the board?  Seems very infrequent to be presented with that option.

0 Likes

Posted on --/--/---- --:-- AM
christiannewman
Gold 1
Gold 1
In response to genesisa2
Reply posted on --/--/---- --:-- AM

Google prompt notifications are delivered to a known, approved device (one that's signed into the Gmail app) when enrolling in 2SV. 

Once enrolled, the notification is sent only to those devices. Therefore, nobody can hack into the account without being in possession of one of those devices (and able to unlock it via passcode and/or biometrics).

Unlike a text code, the notification can't be intercepted, and can't be forwarded to someone else.

If text/phone verification codes is disabled in the admin console, then users will be presented with Google Prompts, as long as they have a device already signed into the Gmail app.

0 Likes
Top Labels in this Space