This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

2-Step verification?

jasoncrcsd
Contributor II

‎09-11-2023 07:12 AM

So we have the accounts for staff setup to require MFA. I think we give them a grace perion of a few days etc. But if they don't unlike every other service that would just force them at that login but Google prevents them from loggin in at all. So they have to call, we have to move them to a different OU that doesn't enforce it. Make them set it up then, then move their account back to the correct OU. Is there a better way?

Topics:
0 Kudos
Reply
13 REPLIES 13

kraybr
New Contributor II

‎09-11-2023 07:17 AM

Instead of having to move them to a separate OU, I've just established a group that disables the 2FA requirement. This way you don't need to move them, just add them to this group, give them time to update their account, and remove them from the group again. Pretty similar but helps prevent any other OU settings from being lost. No other smooth way around it besides a phone call or email from a supervisor. 

Reply

alexgrutza
Contributor III
In response to kraybr

‎10-12-2023 06:23 AM

We're in a similar situation but I'm a little confused.

If we highlight the TLD and  select "MFA On", that means entire workspace MFA is On.

If we then select TLD and checkmark the "mfabypass" group, and set the setting to "Off", that would mean "if a user is in our entire domain AND they're in the mfabypass group = MFA Off", but leave the rest of the workspace to "MFA On"?

 

alexgrutza_0-1697116959286.png

 

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to alexgrutza

‎10-12-2023 06:56 AM

Yes, Group overrides OU.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎09-11-2023 07:20 AM

Or send them, or have them pick up, two backup codes, and tell them that they will not get any more.

--
https://wheretofind.me/@NoSubstitute
Reply

jasoncrcsd
Contributor II
In response to Kim_Nilsson

‎09-11-2023 07:41 AM

I wish but the Admin would never allow it. They'd say how can the user teach if they cannot login.

Reply

MattDPenn
Contributor II
In response to jasoncrcsd

‎09-12-2023 09:46 AM

I'd counter with "teachers had several days to do something that only takes a few minutes, they can wait a bit longer to get unstuck". We've rolled out 2FA at my district over the last year and in the interim for those we weren't able to get set up right from the get go (partially due to a weird bug on Google's side that seems resolved now) the backup code solution was my go to for getting them in and finishing the 2FA set up. Granted I'm also a tiny school district so your mileage may vary.

0 Kudos
Reply

Kelly_McMahon
Contributor

‎09-11-2023 11:48 AM

Yes, this happened to me with some of our new staff this year and the only thing I could do was to move them to a different OU that does not enforce 2FA.  I  will have to look into the idea of putting them into a group

0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to Kelly_McMahon

‎09-11-2023 11:51 AM

Using a group to either include or exclude works very well, and is a fast change, not having to wait for OU propagation.

--
https://wheretofind.me/@NoSubstitute
Reply

MattFeider
New Contributor II

‎09-11-2023 02:45 PM

one better method I have found...


for those staff that haven't setup 2FA and find themselves blocked.

simply go to their account in the admin console, find the area for 2FA, and generate temporary codes...then let them use one to log in and finish the setup.  There is a button on each users account to generate the codes

 

Matt

Reply

Kelly_McMahon
Contributor
In response to MattFeider

‎09-12-2023 06:17 AM

I am pretty sure I tried this but since 2FA was not set up, I could not generate codes.  You got this to work?  Maybe I was doing something wrong.

0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to Kelly_McMahon

‎09-12-2023 06:21 AM - edited ‎09-12-2023 06:21 AM

A users who has ignored the advice to set up 2FA will be caught out, as the account now has Enforced 2FA and the user doesn't have it. As soon as the enforcement is in play, you can create backup codes.

--
https://wheretofind.me/@NoSubstitute
Reply

Kelly_McMahon
Contributor
In response to Kim_Nilsson

‎09-12-2023 06:39 AM

Yes, this is what I experienced.

0 Kudos
Reply

MattFeider
New Contributor II
In response to Kelly_McMahon

‎09-12-2023 06:45 AM

Yes, works well...the only gotcha I have found to be aware of...if said person uses the temporary code in the gmail app on a phone, you may have to repeat as the gmail app doesn't appear to kick off the required process to complete the process and continue to setup 2fa...but if you coach the user to use a browser it does work as expected...after you generate the temporary codes the person is appropriately prompted the next time they attempt a login.

I have found this also works when I create a user in an enforced 2fa OU...and the user doesn't attempt the login in the required time (as the counter seems to start when you create the user, not first login).  I ran into new staff members over the summer...I would create them and then too much time passed prior to their first attempt.

0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines