Google Cloud Platform - Enforce Multi Factor Authentication (MFA)

Question

What is the proper way to configure / enforce MFA, so that all of the admin accounts in my Google Cloud Platform are required to have MFA configured and enabled? I found some guidance about this topic, but that required logging in each and every admin and checking manually.

Answer 1

To set up cloud identity:

Choose between Cloud Identity Free or Cloud Identity Premium. In this link, you can compare both editions.

• Instructions for signing up for Cloud Identity Free
• Instructions for signing up for Cloud Identity Premium

To create your Cloud Identity account and first admin user using the Setup Wizard:

• In the About you section, enter your first and last name in the Name field.
• In the Current email address you use for the work field, enter the email you used to create your prototype project.
• This email address will be used as a recovery address. It must be different from the address you create below that you'll use as your
  admin account for Cloud Identity.
• In the About your business section, enter your company name in the Business or organization name field.
• In the Country/Region field, choose the appropriate country or region from the pulldown list.
• Click Next to set up your domain.
• In the Your Cloud Identity Domain window, add the domain you've already purchased for your company. You'll need to verify that you
  own it by creating a specific CNAME record or uploading an html file.
• In the Create your Cloud Identity account window, enter a username and password. This account is your Cloud Identity administrator
  account and must be different from the email address you entered in
  step 2 above. As a best practice, we recommend that you enter a
  username with the following format: [email protected].

More information about setting up Cloud Identity can be found here.

Multi Factor authentication (MFA) is an important tool in protecting corporate resources. MFA, also called 2-step verification (2SV), requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code).

To deploy a 2-step verification

Step 1: Notify users of 2-Step Verification deployment (required) Before deploying 2-Step Verification, communicate your company’s plans to your users, including:

• What is 2-Step Verification and why your company is using it
• Whether 2-Step Verification is optional or required
• If required, give the date by which users must turn on 2-Step Verification Which 2-Step Verification method is required or
  recommended.

Step 2: Set up basic 2-Step Verification (required) Next, let your users turn on 2-Step Verification. By default, users can turn on 2-Step Verification and use any verification method. (G Suite accounts created before December 2016 have 2-Step Verification turned off by default).

Step 3: Enforce 2-Step Verification (optional) As an administrator, enforcing 2-step verification for your users is an optional step.

Make sure users are enrolled in 2-Step Verification before turning on enforcement. Users who aren’t enrolled can't sign in to their accounts.

Enforcement methods

• Any—Users can set up any 2-Step Verification method.
• All except verification codes via text, phone call—Users can set up any 2-Step Verification method except using their phones to receive 2-Step Verification verification codes.
• Only security key—Users must set up a security key.

More detailed instructions in this link.

If you want to use Text message or phone call as your 2-step verification method, consider:

If you currently allow any 2-Step Verification method, you probably have users who verify only by text and voice call. To avoid locking out these users from their accounts:

Before enforcement takes effect, tell users to start using another 2-Step Verification method. Also, inform them that 2-Step Verification verification codes won't be available on their phones after the enforcement date. Use the login_verification Login Audit activity event to track users who sign in using 2-Step Verification verification codes they receive by text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticated with a text or voice verification code.

In this link, you will find a more detailed guide for the users to activate their 2-step verification method.