Google Workspace is proactively enhancing the security of its platform by mandating Google two step verification (2SV) for all Super Admin accounts. This change will roll out gradually throughout 2024, necessitating Super Admins to enroll in 2SV with their accounts. The implementation will start by targeting organizations with Enterprise editions of Google Workspace and will progressively extend to encompass all Google Workspace editions.

More about Google’s 2-Step Verification

2-Step Verification (2SV) acts as a second layer of security, also called to Multi-Factor Authentication (MFA) or two-factor authentication (2FA), that requires users to furnish two pieces of information to authenticate their identity during login. In addition to the account password, a second verification method is required to finish signing in. This secondary factor could be a security key (most secure), a Google Authenticator prompt, or the reception of a verification code through a phone call or text message (considered less secure).

This change is a commendable stride toward bolstering the security of Super Admin accounts, making it more challenging for potential attackers to compromise them. While this adjustment is a positive development for security-conscious individuals, it may pose challenges for organizations that need to look into securing their service accounts. It’s crucial to note that this change solely impacts Super Admin accounts; delegated administrators and regular users will not be subject to 2SV enforcement by Google. Super Admins will receive notifications to enroll in 2-Step Verification 60 days before the mandatory enforcement, as well as a reminder to enable 2SV by the specified date every time they sign in to Google services. It’s essential to remain vigilant, as these sign-in notifications may go unnoticed if Super Admin accounts are not regularly accessed. Additionally, an extra 30-day notice before enforcement will be dispatched to the emails and mobile phones of Super Admins.

Checking the status of 2-Step Verification

Service accounts are occasionally employed by third-party applications to access Google Workspace resources. If a service account lacks 2-Step Verification, it becomes susceptible to exploitation by attackers, potentially leading to unauthorized access to sensitive data or even gaining control of the entire Google Workspace domain.

To avoid potential service disruptions, Google Workspace administrators should ensure that all Super Admin service accounts are enrolled in 2SV. This can be accomplished by navigating to Menu > Reporting > User Reports > Security page in the Admin console. At the top of the report, administrators can apply an “Admin Status” filter to display only the Super Admin accounts.

For each Super Admin account, the admin will see a column labeled “2-Step verification enrollment” that displays the 2SV enrollment status. This column will show whether the accounts are enrolled in 2SV or not.

Remediation and enforcement of 2-Step Verification

After identifying any Super Admin accounts that are not enrolled in Google two step verification, admins can take steps to enforce the 2SV policy going forward. Administrators can navigate to the Security > 2-Step Verification page of the admin console to view current policies. The exact implementation plan will be unique based on the company’s organizational unit structure, and whether the company uses a third-party identity provider for non-admin users accessing Google Workspace accounts. A commonly used enforcement plan includes adding all Super Admin accounts to a dedicated group, and enabling 2-Step Verification enforcement to be on from a selected future date for the group. With this change, any accounts added to the group with the new policy enforced, and who have not already enrolled in 2SV, will be prompted by Google on each new sign-in that they need to enroll in 2-Step Verification. A secure way to handle the “New user enrollment period” policy option is to leave it set to None, and instead instruct admins to set up 2-Step Verification on any new accounts before granting the Super Admin role.

In addition to enrolling Super Admin accounts in Google two step verification, administrators can utilize a one-time App Password for integrations that do not support modern OAuth2 authentication (the familiar “Sign in with Google” screen). This action enhances the security of service accounts, ensuring that the Google account remains protected under the 2SV enforcement policy even when interacting with legacy apps or services.

By taking these proactive steps to ensure the enrollment of all Super Admins in 2-Step Verification, administrators fortify account security, minimizing the risk of lockouts and service disruptions when Google enforces the policy.