topic Using (requiring) Google Authenticator and Sync for "Service Accounts" in Peer-Peer Topics

Using (requiring) Google Authenticator and Sync for "Service Accounts"

alexgrutza — Tue, 26 Sep 2023 15:33:34 GMT

What are people's thoughts on this now that Google Auth can sync OTP to multiple devices when signed into the Google account?

For example, our environment (as probably every other environment) has these types of "Service Accounts", such as "president@domain.tld" or "printing@domain.tld" or "admissions@domain.tld". These accounts, due to not having a viable option for MFA (as multiple people sign into these accounts), currently don't require MFA to be enabled.

Now that Google Auth has the sync functionality, do people think it would be a viable option to require all the users who access these accounts to have the Google Authenticator app installed on their mobile device, and sync the OTP with the "Service Account" so that the 4 people in Admissions can sign into the account with MFA?

My only concern would be if one of these people lost their device (or were terminated, or were phished as in a previous post), security-wise, it doesn't sound like a sound idea to have this, but how do we best protect these accounts?

Google Edu Fund. version so access control is out of the picture unfortunately

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

Kim_Nilsson — Tue, 26 Sep 2023 15:45:56 GMT

Just No.

Use Delegated Gmail or a Group for those addresses.

Several people logging into the same account is a breach of the Acceptable Use Policy, and also contrary to any security and data privacy law, in the world basically.

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

alexgrutza — Tue, 26 Sep 2023 16:01:21 GMT

1.1) I would agree about the delegated access would most likely be the best route (assuming they don't also need the accounts Google Drive data, ie. something like marketing@domain.tld may have marketing materials, which should be in a Shared Drive rather, but that's unfortunately not the world/company we live in...sadly the previous Google Admins (some here, some gone) blame Google for not having all the functionality they have nowadays back in '09...)

1.2) if we were to go the route of delegated Gmail, we'd still want to enable/force MFA for these accounts, but what would that look like? Yubikey's that sit in a drawer and are labeled? MFA on an IT person's mobile phone?

2.1) Devils advocate and rhetorical: the Admin Google account that was created to set up the Workspace account originally, how many people have access to log into that account? More than one I bet in case the one person got hit by a bus or became rouge...so by design all organizations (I would imagine) are breaking the AUP...

2.2) "Luckily" we're in the USA and the users accessing these service type accounts are the intended people/recipient so the privacy law wouldn't apply. The people accessing the "admissions" account for example, are the people who have the legal authority/obligations to view this type of data. It's not some random employee who shouldn't be privy to the data.

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

Kim_Nilsson — Tue, 26 Sep 2023 16:31:56 GMT

1.1 Yes, common content should be in a Shared Drive anyway.

1.2 Random password that nobody knows will keep users out.

gam update user username password random

That will set a crazy long password.

You could also add a Yubikey, or create backup codes and put in a safe.

2.1 Same with this account. It should be for emergency only, with credentials and 2FA safely tucked away.

2.2 Well, I have heard that many are forced to adhere to strict security rules to qualify for cyber insurance, so I wouldn't bet my house on that assumption.

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

alexgrutza — Tue, 26 Sep 2023 16:49:22 GMT

Can you have multiple yubikeys associated with a single account?

Can you purchase licenses with the Access Control for a subset of users (say at most 300 accounts)? That would at least narrow down the login ability to our IP ranges which we own.

The Cyber insurance coverage is a good thought in practice, but when they say "you need data at rest encryption" and don't specify if "SED's" are good enough, I'm not sure they'd get as granular as what you're thinking. Insurance loves to be vague so they can reject claims.

Lets just say they didn't mention anything about revoking Local Administrator access to our users...and here we are...covered by insurance with everyone and their mothers having Local Administrator group membership ha..ha..ha... 😑😭

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

Kim_Nilsson — Wed, 27 Sep 2023 07:19:16 GMT

Multiple Yubikeys

Oh, yes, definitely! I usually have three connected to each account, as I have two I use for different devices, and one backup which I rarely connect.

Context Aware Access

No, this is part of Standard/Plus licencing, which is now based on active students, and not staff.

Local Admin

Yup, it's a delicate balance, but I've read so many articles on why local admin isn't the boogey man it's been painted as, since even as non-admin you can do serious damage to both local and remote files, if hit by ransomware. you just can't mess up the system OS files, but many ransomware processes don't even have that as a goal.

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

alexgrutza — Wed, 27 Sep 2023 13:14:06 GMT

The multiple yubikeys may be the route for us for these type of accounts then, with a few spares. Is there a limit? I know when setting up Passkeys there was like a list of 5 items. So I wasn't sure if there is a limit of 5 per account, or as you get closer to 5 it expands further.

That is a fair point about ransomware not really targeting OS level stuff and going more so for files and folders the user has access to. But alas, that's also a wild west haha... People love asking us to add users to file share resources, but never to remove them...

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

Kim_Nilsson — Wed, 27 Sep 2023 13:41:21 GMT

One should always have more than one MFA method, but as nobody should need to log into the accounts you mentioned, all MFA methods should be archived. Orrrrr, well, you don't need to use special Yubikeys as your superadmins could just add their keys to the accounts.

Again, since nobody is supposed to ever log in, it doesn't really matter whose Yubikeys are added.

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

Kelly_McMahon — Wed, 27 Sep 2023 17:24:25 GMT

What about your main SuperAdmin account for GAC? What method of MFA are folks using for this account?

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

alexgrutza — Wed, 27 Sep 2023 17:28:11 GMT

Would that be the account under "Account->Account Settings->Primary Admin"?

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

Kelly_McMahon — Wed, 27 Sep 2023 17:42:39 GMT

Exactly, yes, the primary admin.

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

alexgrutza — Wed, 27 Sep 2023 17:56:47 GMT

It will be using MFA now that I realized it was not already set up as such...

Re: Using (requiring) Google Authenticator and Sync for "Service Accounts"

Kim_Nilsson — Wed, 27 Sep 2023 19:41:24 GMT

Any superadmin can be the primary admin.

I am primary for two completely separate and unrelated Workspace accounts.

Simply because someone needs to receive those emails which Google sends only to the primary admin.

Yes, yes, this is yet another Do as I say, not as I do situations. 😉😎

One should never 🫣🤞use their admin account as their daily and instead set up a Routing rule for incoming emails to the admin account forwarded to your daily account.