Under https://admin.google.com/ac/security/2sv, settings for two-factor authentication can be made per organizational unit, per group, or for the entire organization. In any case, we recommend that you leave the Allow second factor checkbox checked for as many users as possible.
For VIPs and (Super) Admin accounts we strongly recommend to force 2FA as well. Ideally the whole organization would use 2FA, but we understand and see again and again that for various reasons this is not always and not for all organizations affordable.
Below, if forcing is enabled, you can also set whether users can trust devices. If this is not the case, the second factor must be shown each time the session expires. Otherwise a password is sufficient to renew the session. The session length can be set at https://admin.google.com/ac/appsettings/352555445522/sessionmanagementsettings (also restricted to certain organizational units if required). However, this only applies to users with an Enterprise license - all others have a browser session length of 14 days (mobile may vary). Every new session (e.g. on a different device) always requires the second factor to be present.
Google always likes to advertise with the statement that with Security Key as second factor no (0%) account hijackings have been known yet.
All in all, we are happy to clarify such and similar security-related topics directly with our consultants - but a small security assessment would definitely be part of an introduction, and at least one workshop is usually conducted with customers. However, experience has shown that the topic of security is inexhaustible, so it is worthwhile to conduct (at least internal) audits at regular intervals - but I suspect that you have already established processes for this anyway. Here we can help you to adapt them to Google Workspace.
To find more information about Google Workspace in general click here.