Re: Forcing 2 Step verification On Organization

haydenschmidt · 11-11-2021 06:06 PM

Hi there,

I noticed that Google Workspace doesn't have a convenient way to force 2 Step across the whole Organization. Currently you have to set up a enrollment period and notify everyone to enable the feature.

Then if a employee doesn't complete it he get's locked out with an error message that says, "your sign-in settings don’t meet your organization’s 2-step verification policy. contact your admin for more info."

I find this method very inconvenient because we as Admins have to chase around employees to enable 2 Step. It would be much easier if there was a setting where we can make employees have to sign up for 2 Step on next log in. In this day and age 2 Step should always be required.

Thanks,

NTaravati

I completely agree, but meanwhile I'm afraid there is no other solution in this case, except preparing your servicedesk for incoming tickets when the date gets due .

icrew

There’s a good (I think) reason to have a defined enrollment period. Specifically, you want to give people a bit of time to choose to set up 2FA, and not just force 2FA on at next login, because not everyone will be in a position to set up 2FA the very next time they log in. To make up an example, I’d definitely want to be at my desk and computer when I set it up, not trying to do so as I checked my email on the train on my way to the office one morning.

At a much bigger level, for us these days, most service changes are probably at least 75% change management, and 25% or less technical. I personally believe the IT industry in these days of SaaS/PaaS/etc.—or at least the role of the traditional “IT guy”—is changing from being about technical wizardry and into much more about being a technologically expert business partner, working with the other teams in the company as a two-way conduit between the technologies available and the business problems that need solving. It’s a pretty big change for a lot of us!

Just my 2 cents, of course,

Ian

aravindkumar_ak

I agree with your point on giving extra time to setup 2SV but if we don't enforce it nature users are not ready to enrol for 2 SV which ultimate move them to locked state which reflects in account lock and an extra ticket.

dbrangaitis

How about a very obvious countdown of logins allowed to bypass 2-step setup before forcing setup?

icrew

Not a bad idea! You might want to post this to the Feature Ideas section here. See https://www.googlecloudcommunity.com/gc/Feature-Ideas/gh-p/workspace-ideas-group, and https://www.googlecloudcommunity.com/gc/custom/page/page-id/Workspace-Feature-Ideas-FAQ for how to get access. This will allow it to be upvoted by others and possibly considered as a future feature enhancement.

If you are submitting a feature idea, be sure to explain the problem that you're trying to solve with the feature idea, not just the idea itself. For example, saying "when my users are trying to do 'A', they often get confused by the fact that the buttons to do 'X' and to do 'Y' look quite similar to each other, which leads to this unintended consequence" is far more likely to get fixed than a feature idea that just says "change the color of the button 'Y'".

Cheers,

Ian

jaustin1

Not having this feature has nearly doubled the calls to our service desk and resulted in hours of programming time to create custom patchwork solutions. This simple solution of enforcing enrollment at sign-in would solve the problem. If someone isn't prepared to enroll at sign-in, then they can sign-in later and enroll then. I don't understand the logic on this one. Seems like an easy call.

dadmin1pyrs

Yes, allowing an amount of time for compliance is a good thing, but it should NOT result in the user simply being locked out when the time is up. Rather, at the first login once that grace period is up, the user should be presented with an "ENROLL" button along with a message "You must enroll in 2-step now." Just like when you force a password reset, and the user's next login results in a screen asking them to reset their password. Why lock them out without prompting them to enroll, at least once, after the grace period ends?

ChrisG1

It's still a problem. And a bit of a no-brainer. It's bizarre that this process is not automated. I would have thought that gws would just force users into setting up the 2 step verification once their grace period is over. Requiring admin intervention is a pita.

jaustin1

The sad part is Microsoft has solved this. I just worked on their new MFA requirements for our schools MS 365 sub and it simply enforces MFA at first login. None of these bizarre lockout requirements.