Google Cloud Platform - Enforce Multi Factor Authentication (MFA)

3.8k Views Asked by At

What is the proper way to configure / enforce MFA, so that all of the admin accounts in my Google Cloud Platform are required to have MFA configured and enabled? I found some guidance about this topic, but that required logging in each and every admin and checking manually.

1

There are 1 best solutions below

0
On

To set up cloud identity:

Choose between Cloud Identity Free or Cloud Identity Premium. In this link, you can compare both editions.

To create your Cloud Identity account and first admin user using the Setup Wizard:

  • In the About you section, enter your first and last name in the Name field.
  • In the Current email address you use for the work field, enter the email you used to create your prototype project.
  • This email address will be used as a recovery address. It must be different from the address you create below that you'll use as your
    admin account for Cloud Identity.
  • In the About your business section, enter your company name in the Business or organization name field.
  • In the Country/Region field, choose the appropriate country or region from the pulldown list.
  • Click Next to set up your domain.
  • In the Your Cloud Identity Domain window, add the domain you've already purchased for your company. You'll need to verify that you
    own it by creating a specific CNAME record or uploading an html file.
  • In the Create your Cloud Identity account window, enter a username and password. This account is your Cloud Identity administrator
    account and must be different from the email address you entered in
    step 2 above. As a best practice, we recommend that you enter a
    username with the following format: [email protected].

More information about setting up Cloud Identity can be found here.

Multi Factor authentication (MFA) is an important tool in protecting corporate resources. MFA, also called 2-step verification (2SV), requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code).

To deploy a 2-step verification

Step 1: Notify users of 2-Step Verification deployment (required) Before deploying 2-Step Verification, communicate your company’s plans to your users, including:

  • What is 2-Step Verification and why your company is using it
  • Whether 2-Step Verification is optional or required
  • If required, give the date by which users must turn on 2-Step Verification Which 2-Step Verification method is required or
    recommended.

Step 2: Set up basic 2-Step Verification (required) Next, let your users turn on 2-Step Verification. By default, users can turn on 2-Step Verification and use any verification method. (G Suite accounts created before December 2016 have 2-Step Verification turned off by default).

Step 3: Enforce 2-Step Verification (optional) As an administrator, enforcing 2-step verification for your users is an optional step.

Make sure users are enrolled in 2-Step Verification before turning on enforcement. Users who aren’t enrolled can't sign in to their accounts.

Enforcement methods

  • Any—Users can set up any 2-Step Verification method.
  • All except verification codes via text, phone call—Users can set up any 2-Step Verification method except using their phones to receive 2-Step Verification verification codes.
  • Only security key—Users must set up a security key.

More detailed instructions in this link.

If you want to use Text message or phone call as your 2-step verification method, consider:

If you currently allow any 2-Step Verification method, you probably have users who verify only by text and voice call. To avoid locking out these users from their accounts:

Before enforcement takes effect, tell users to start using another 2-Step Verification method. Also, inform them that 2-Step Verification verification codes won't be available on their phones after the enforcement date. Use the login_verification Login Audit activity event to track users who sign in using 2-Step Verification verification codes they receive by text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticated with a text or voice verification code.

In this link, you will find a more detailed guide for the users to activate their 2-step verification method.