The Google for Education Community Platform

jasoncrcsd · ‎09-14-2023

We keep getting Googles call for a users MFA on our office line. Some suer must have set it for their MFA. IS there any way to search by that phone number to find out which user it is?

James_Seymour · ‎09-14-2023

In the Admin Console, I assume it is the recovery phone that you are looking for. You can also retreive this info for multiple users using GAMADV-XTD3 (https://github.com/taers232c/GAMADV-XTD3/wiki)

Kim_Nilsson · ‎09-14-2023

Actually, the Recovery Phone number and Two-Step Verification (2SV/2FA) phone number are not at all the same thing.

Using SMS/Call as a 2FA method does not add the number as recovery method, as that is a completely separate process, and actually should never be used in a Workspace environment. The user should either use 2FA or contact their (closest) admin if having issues with logging into their account.

There is also, AFAIK, no known method of reading the current 2FA number. Only whether the user is enrolled in 2FA or not.

In Reports one can also see which method is used when the user logs in, but no details about number is shown.

--
https://wheretofind.me/@NoSubstitute

robbabiak · ‎09-15-2023

Depending on how may users you have signing in at the same time you "may" be able to determine who is generating that call by correlating a "Login verification" event in the Investigation Tool.

It might require checking other events as well, I've never tried this before and this solution is me "thinking out loud"

The Google for Education Community Platform

Can we search for a users MFA phone number