Google Workspace - Test 2AF with Google Workspace

We would like to test 2FA with Google Workspace.

In the settings for 2FA it seems to be only possible to switch all users completely to 2AF. This is neither feasible (because we can’t assume the hardware yet) nor makes sense.

It would be better if a user could activate it himself.

But if a user has activated it, the second factor is no longer queried.

Here the wish would be that min. every 24h or after restarting the device or in case of another device the 2nd factor would be queried.

Do you have any information about this?

Under https://admin.google.com/ac/security/2sv, settings for two-factor authentication can be made per organizational unit, per group, or for the entire organization. In any case, we recommend that you leave the Allow second factor checkbox checked for as many users as possible.

For VIPs and (Super) Admin accounts we strongly recommend to force 2FA as well. Ideally the whole organization would use 2FA, but we understand and see again and again that for various reasons this is not always and not for all organizations affordable.

Below, if forcing is enabled, you can also set whether users can trust devices. If this is not the case, the second factor must be shown each time the session expires. Otherwise a password is sufficient to renew the session. The session length can be set at https://admin.google.com/ac/appsettings/352555445522/sessionmanagementsettings (also restricted to certain organizational units if required). However, this only applies to users with an Enterprise license - all others have a browser session length of 14 days (mobile may vary). Every new session (e.g. on a different device) always requires the second factor to be present.

Google always likes to advertise with the statement that with Security Key as second factor no (0%) account hijackings have been known yet.

All in all, we are happy to clarify such and similar security-related topics directly with our consultants - but a small security assessment would definitely be part of an introduction, and at least one workshop is usually conducted with customers. However, experience has shown that the topic of security is inexhaustible, so it is worthwhile to conduct (at least internal) audits at regular intervals - but I suspect that you have already established processes for this anyway. Here we can help you to adapt them to Google Workspace.

To find more information about Google Workspace in general click here.