Google uses the term
This guide was written with the assumption that you are using the built-in Google Directory in Workspace. If you are using a third party authentication service (e.g. Microsoft Azure, ADFS, Okta, etc.) this guide won't be suitable - pleasewhat your situation is so we can add specific guidance for other common configurations.
Before you start
Get business buy-in
Big changes that people notice tend to benefit from an executive sponsor to lend weight behind the change - you'll know better than us whether that makes sense for your organisation. You can read this guide for some pointers.
Prepare your support team
When adopting MFA, some users may struggle with the process of enrolling for MFA, or need help if they lose their MFA token or device after setup. Users will have a much better experience of MFA, and work disruption kept to a minimum, if the IT support team (or person as the case may be) is prepared to support both enrolment and recovery, and can get them back on their feet quickly.
To make sure everything goes smoothly when something goes wrong, we recommend you make sure anyone responding to support requests tests or practices these processes using a test account.
Decide whether to move directly to enforcing
We typically recommend encouraging users to enable MFA before enforcing it. This helps teams gradually adopt MFA, and gives support teams more time to get used to supporting users.
However, Google Workspace allows you to configure very flexible enforcement timelines and "grace periods" for new users. What this means in practice is that for smaller teams - around 25 or less accounts - we recommend that you skip straight to enforcement. If you are a bigger team that is tech savvy and unlikely to resist MFA you might do this as well.
Using registered devices or security keys?
Google Workspace allows you to disable 2SV, enable 2SV (allowed to use - the default), and to enforce 2SV (must use) for all users, or a group of users.
When enforcing 2SV, the following options are available for MFA methods:
Security devices only (such as USB security dongles likeor or modern Macbooks with fingerprint readers)
Any except verification codes via text, phone call
Anything (the default)
Unless you’re using security devices everywhere, we would normally recommend "Any except verification codes via text, phone call" - mainly because text and call based methods are less reliable (especially when travelling or where phone signal is spotty) and can lead to bad user experience.
Want to learn more about MFA methods and choosing the right option for you?on our blog.
Unfortunately, the Google Workspace 2SV user setup wizard only allows users to register a phone number, a company phone, or a security key - authenticator apps are not an option.
If you are using company phones or security keys then there’s no issue, you can set the policy to “Any exception verification codes via text, phone call” or “Security devices only” and users can follow the setup wizard.
If you aren’t, users will have to register a phone number first (and you will have to permit that option) before they can then add an Authenticator app, if that is an option.
We think asking users to do this extra step is worth the increased reliability and improved experience. If this doesn’t make sense for your team, please.
Let's get started
Configuring your environment
To start using 2SV in your Workspace, you'll need to do the following:
- Before encouraging users to enrol, you should first check they are able to register for 2SV
. Follow the steps below:
Google uses the term2-Step Verificationinstead of Multi-Factor Authentication.
in the Google Workspace admin panel.
Ensure the tick box for "Allow users to turn on 2-Step Verification" is ticked (and remember to click save):
You could do this at the point when you have an emergency, but to avoid any delays it makes a lot of sense to create and test an MFA exception group beforehand to save time. Adding users to this group means that they are not required to use MFA - not something you should use in normal operation, but very useful in emergencies.
Login to thein the Google Workspace administration portal.
Create a new group.
Name the group "Emergency 2SV Disabled" or a similarly descriptive
Add a description to remember the purpose of this group, perhaps "Group to disable 2SV for specific users temporarily - group should normally be empty".
Set group email to something like "2sv-disabled"
Leave the owners empty
Set the group permissions as shown in the following screenshot:
Configure 2SV settings for the group
On the left hand pane, select the group you just created
Disable enforcement for the group as shown in this screenshot (and remember to click save):
Only Super Administrators can recover MFA for other Administrators. If you have a single Super Administrator in Google Workspace, it would make sense tofor that administrator in case they lose access to their MFA device. If you have more than one Super Administrator, one can reset the other's account and so this can be skipped (unless you want to be safe in cases where e.g. administrators are on leave). You always have the option to go through the Google account recovery process although this may be complicated and take a bit of time, and is definitely not ideal in an emergency.
Make sure you store the backup codes somewhere you would think of looking for them a year or two in the future - an "IT Recovery" folder in the office safe or locked filing cabinet makes sense for a lot of teams.
Before enforcing MFA, you should aim to get most users registered for MFA to avoid disruption but figuring out who needs to register and engaging with each of them is a hugely time-consuming process.
Use the Push platform to quickly see who hasn't registered for MFA yet andautomatically to get it done with ease.
When you are ready to do so, enabling MFA on Google Workspace by following the steps below:
Go to thein the Google Admin dashboard.
Configure the details of your MFA deployment:
Under Enforcement, select "On" or "On from <Date>", as appropriate
Under Methods, choose the option appropriate for your team (Not sure? We recommend "Any except verification codes via text, phone call")
Hint: where available, and where they are the sole user of the device, you should "Allow the user to trust the device” so they only get prompted once a month or similar. Reducing the volume of MFA prompts will greatly reduce the chance of a user accepting prompts they didn't initiate.