topic Students that use 2-Step in Peer-Peer Topics

Students that use 2-Step

PatrickM — Fri, 26 Jul 2024 21:20:02 GMT

Within our division we enforce 2-Step for all non-student accounts, and leave it optional for all students. We have a few hundred of our junior and senior high students that have enabled this feature to protect their account, which is a good thing. I would personally like that number in the tens of thousands compared to the hundreds that we have now.

For the upcoming school year, our Government is moving to ban cellphones in classrooms.

So is there a way to allow our students to continue to have 2-Step enabled but if they are using a Chromebook or accessing their Google Workspace environment on our corporate network, they are not prompted for 2-Step.

I would like to have some type of 2-Step exception policy for our students when they are on our network, compared to disabling it totally. As I can foresee a huge uptake of 2-Step for students once they find out they can keep their cellphones at their desk, as the device will be needed for verification.

Re: Students that use 2-Step

Bill_Gibson — Sun, 28 Jul 2024 21:11:11 GMT

If you're using Chromebooks, my understanding is that 2 factor is built into the power button on most modern devices.

https://security.googleblog.com/2019/11/using-built-in-fido-authenticator-on.html?m=1#:~:text=Once%20the%20user%20is%20successfully,device%20is%20to%20be%20trusted.

Re: Students that use 2-Step

PatrickM — Mon, 29 Jul 2024 18:54:54 GMT

That is true, and if the student used the same Chromebook from the cart each time it wouldn't be an issue. They would only be prompted for 2SV the first time using that device. But we all know that it is a free-for-all when it comes to retrieving a Chromebook from the cart in the classroom.

Too bad there was an exception policy bases on IP address, much like what Microsoft Entra ID has.

Re: Students that use 2-Step

kaned — Tue, 30 Jul 2024 16:44:38 GMT

We use a third party MFA which has many of those features.

I am unsure if Google has this built in.

Re: Students that use 2-Step

MattDPenn — Wed, 31 Jul 2024 22:15:28 GMT

If the chromebooks are being managed by you there is a setting that allows the chromebook to "trust" the user after the first time they use 2FA. Settings -> Device Settings -> Sign-In Screen -> "Always show user names and photos". We're going to be testing this ourselves for a handful of devices that our staff use so I don't know if it will occasionally request the 2FA handshake again but I was able to log in without using my 2FA key after the first log in, if I wipe the chromebook then I have to do 2FA on first login.

Re: Students that use 2-Step

PatrickM — Fri, 02 Aug 2024 14:36:16 GMT

It does work, and we have no issues with Staff as they have been assigned a Chromebook or Chromebox. They are prompted once, then all is fine afterwards. Unfortunately with our students, they do not always use the same Chromebook from the cart, so they will get prompted for MFA on the new device.

Guess we will wait and see how much of an issue this will be in a few weeks when school starts and students need to leave their phones at the front of the classroom.

Re: Students that use 2-Step

BrandonB — Mon, 05 Aug 2024 04:36:32 GMT

I'm not aware of a method to IP filter 2FA prompting and don't think it exists. Other options are to use 2SV is to print recovery codes or use a hardware dongle. Good luck. It's happening in lots of places.