topic Second Step vs 2SV/MFA in Peer-Peer Topics

Second Step vs 2SV/MFA

alexgrutza — Tue, 12 Mar 2024 17:52:43 GMT

Can someone explain the difference between "second step" and 2sv/mfa in Google? We just enforced 2sv in our entire organization and sent notices to users (via gam) to users who did not have 2sv enabled/configured.

Someone just opened a ticket and showed that they have 2-step verification enabled with "Google Prompts" and "Voice or Text", however, they were identified (and reflects via the Admin Dashboard) as not having 2sv enabled.

Can someone explain why that is? Any Google KB's defining "second step" vs 2sv would be helpful too

Re: Second Step vs 2SV/MFA

Kim_Nilsson — Wed, 13 Mar 2024 15:11:41 GMT

Hi Alex,

This sounds wrong. On the level that "I want to see that to believe it". 🙂

However, there is a clear difference between the new Passkey feature and 2SV, as they are not at all the same things, and usage of passkeys is not visible in the admin console. Despite the user experience being very similar.

Also, the Passkey feature is enabled and managed in the same place as 2SV.

Re: Second Step vs 2SV/MFA

alexgrutza — Wed, 13 Mar 2024 15:24:20 GMT

I'm not sure how to respond other than the end-user is correct, and Google Admin dashboard is incorrect...

The user clearly has "second step" set up, which is under the 2sv configuration area in their Google account, but Google does not see that as having 2sv set up in the Admin Dashboard.. So I'm just looking for clarification as to what is what in this regard..

For example, the end-user has had 2sv set up since 2020 (this first is a screenshot of mine when I got hired), with the Google Prompt and the Voice or Text option. They do not have an Authenticator app or backup codes set up under this settings page.

The Google Admin dashboard (second screenshot) shows as the user not having 2sv set up, when clearly they do (google prompt and a phone number configured under the 2sv settings for their Myaccount->Security-2sv).

So I am just asking what is the difference. We've been telling the end-users that the 2sv is having an Authenticator app (like google authenticator, etc.), but I personally want to know why Google doesn't see the users 2sv as "On" or "Enabled" in the Admin dashboard.

Re: Second Step vs 2SV/MFA

Kim_Nilsson — Wed, 13 Mar 2024 15:31:04 GMT

Yeah, then you are perfectly correct. Google admin console is wrong.

On your other question, there is no other version of 2SV. the one you expect is the only one there is.

Like I mentioned, the new Passkey feature is not 2SV, but it's listed under Security on the My Account page.

Re: Second Step vs 2SV/MFA

alexgrutza — Wed, 13 Mar 2024 15:39:41 GMT

We've turned on 2sv being required for alumni, as our normal staff/faculty and students authenticate to our SSO platform, so if the user wants to set up Passkeys, they can feel free to do so on their own, so the passkeys isn't relevant to supporting these end-users as their milage may vary on what devices they're using, if they're using a yubikey, or browser-based passkey, etc. etc. etc..

So Authenticator is the only option in this scenario that would update the flag in the Admin dashboard and that is what we'll tell them. I was just wondering why things didn't match up, perhaps Google doesn't qualify "Prompt" or "Voice or Text" as 2sv I guess..

Re: Second Step vs 2SV/MFA

Kim_Nilsson — Wed, 13 Mar 2024 16:21:46 GMT

I know Google is messing with the Passkey/2SV process right now, so what you are seeing could be a side-effect of that.

SMS/Voice and Prompt was always considered "proper" 2SV before, so this is a change, and it may be related to the A/B-testing of the Passkey-vs-2SV process they are running in some places.

I recommend you report it, as you should see all 2SV-enabled accounts as such in the admin console.