This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Forced 2FA for some Workspace superadmins rolling out for real right now

Go to solution
Kim_Nilsson
Admin Moderator

‎12-08-2023 07:41 AM - edited ‎12-16-2023 04:14 AM

UPDATED, see here.

And updated again, see here.

 

In case not everyone already knew.

2SV required for some superadmins from 19 December 20232SV required for some superadmins from 19 December 2023

Google started implementing forced 2FA for admins a while ago, and it's starting to affect users now, notifying them about needing to add 2FA before 19 December.

This initially applies only to Enterprise/Education Standard/Plus.

It was in the Workspace roadmap for Q2 and Q3 (with very short explanatory text), and in the Q4 roadmap it is simply referred to as Launched. There are some other instances of documentation, but it really hasn't been blasted, despite it being fairly important. Anyway, here are some of the relevant links.

 
Blog post from 2021.
 
Blog post from 2022.
 
Support article about 2SV. This is the only recently updated public information!
The definition of the word "admin" is most likely "superadmin".
 
Video of when it was announced it would eventually happen.
 
--
https://wheretofind.me/@NoSubstitute
Topics:
Reply
1 ACCEPTED SOLUTION

Go to solution
Kim_Nilsson
Admin Moderator

‎12-13-2023 01:23 AM - edited ‎12-13-2023 01:25 AM

UPDATE - from Andrea Dibenedetto (Google) in GCC 

Thanks for your patience here — back with a few updates:

  • 2-step verification will be applied to all admins and super admins. 
  • Regarding timing: it will take upwards of two or more years to rollout 2-step verification for all admins. Because of this, we're providing a 60 day heads-up in advance of the change hitting your domain:

    • 30 days before the enforcement starts, super admins will receive a notification informing them of the coming enforcement and encouraging them to check the list of admins and the current status of 2SV for each of their admins. 

    • Once enforcement starts in your domain, admins will get a notification on all their devices and recovery email and they will then see a reminder at sign-in for the next 30 days. If they do not enable 2-step verification within this time period, they'll need to follow the steps to recover an administrator account.

  • Because the timing is ambiguous, we strongly recommend that customers beat us to the punch and have your admins enroll in 2-step verification ahead of time, as outlined in this Help Center article.

We'll share this same info on the blog this week — apologies again that this wasn't communicated sooner! Let me know if there's anything else I can help get clarity on.

--
https://wheretofind.me/@NoSubstitute

View solution in original post

Reply
16 REPLIES 16

Go to solution
panderson
Contributor III

‎12-08-2023 08:06 AM

I think we all know that this should have been done a long time ago.😄

Reply

Go to solution
LydiaVanThiel
New Contributor III

‎12-08-2023 08:22 AM

I find it mind blowing to think that there might be any Admins let alone Super Admins who don't have 2FS.  All our staff have to turn it on.  Even the caretakers.  Let along people with Admin roles.  And we've restricted back the Super Admin logins to only be used when doing 'super admin' stuff.  For my regular daily Chrome Admin I only sign in with my partial permissions.

Reply

Go to solution
JimmyR
New Contributor III

‎12-11-2023 05:43 AM

This is an excellent requirement, especially in light of the hijacked domains I've read about.

Reply

Go to solution
Rick2025
Contributor

‎12-11-2023 07:27 AM

@LydiaVanThiel I would totally agree with you about "I find it mind blowing to think that there might be any Admins let alone Super Admins who don't have 2FS." Not to mention that they don't use it on their personal accounts.  

Reply

Go to solution
Kim_Nilsson
Admin Moderator

‎12-13-2023 01:23 AM - edited ‎12-13-2023 01:25 AM

UPDATE - from Andrea Dibenedetto (Google) in GCC 

Thanks for your patience here — back with a few updates:

  • 2-step verification will be applied to all admins and super admins. 
  • Regarding timing: it will take upwards of two or more years to rollout 2-step verification for all admins. Because of this, we're providing a 60 day heads-up in advance of the change hitting your domain:

    • 30 days before the enforcement starts, super admins will receive a notification informing them of the coming enforcement and encouraging them to check the list of admins and the current status of 2SV for each of their admins. 

    • Once enforcement starts in your domain, admins will get a notification on all their devices and recovery email and they will then see a reminder at sign-in for the next 30 days. If they do not enable 2-step verification within this time period, they'll need to follow the steps to recover an administrator account.

  • Because the timing is ambiguous, we strongly recommend that customers beat us to the punch and have your admins enroll in 2-step verification ahead of time, as outlined in this Help Center article.

We'll share this same info on the blog this week — apologies again that this wasn't communicated sooner! Let me know if there's anything else I can help get clarity on.

--
https://wheretofind.me/@NoSubstitute
Reply

Go to solution
SteveHarmon
Contributor

‎12-15-2023 11:19 AM

Does this apply to users that have an Admin Role? We give all teachers an Admin Role to reset student passwords at their school site, but that is all they can do. The way I am reading this is that they too will need to have 2SV turned on - does anyone know if I am reading it incorrectly (hoping!)?

0 Kudos
Reply

Go to solution
sujka
New Contributor III
In response to SteveHarmon

‎12-15-2023 11:26 AM

The way I read it is if you are using a role (built in) that has Admin or SuperAdmin on it. If it is a custom role, this may not apply. 

Eitherway they too should have MFA.

Reply

Go to solution
robbabiak
New Contributor III
In response to SteveHarmon

‎12-18-2023 07:16 AM

Question - do you provision separate "admin" accounts for your teachers or let them use their "user" accounts to reset passwords?

0 Kudos
Reply

Go to solution
Kim_Nilsson
Admin Moderator
In response to robbabiak

‎12-18-2023 07:19 AM

Same accounts.

It's one of those Do as I say, not as I do situations. 🙂

Recommendation is to use separate admin accounts, maybe even completely without Gmail, and instead set up a Routing rule that forwards emails to their daily non-admin account.

This is what I do on our Business Workspace. Our admin accounts there (actually all accounts) are Cloud Identity Free, which doesn't have Gmail/Calendar.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Go to solution
Kim_Nilsson
Admin Moderator

‎12-15-2023 11:34 AM

Anyone with admin rights to affect user accounts or anything security related, including Chrome settings, should already have forced 2FA.

This change shouldn't be a problem for anyone.

If it is, then you've always been doing it wrong, and it's about time it's corrected.

However, Google also put some dumb features as admin roles instead of Apps Settings. So my first sentence here is a little bit relevant.

--
https://wheretofind.me/@NoSubstitute
Reply

Go to solution
MarkLoundy
Contributor II

‎12-15-2023 11:59 AM

What Kim said. I'm amazed that anybody with password-changing access (even for students) would not have mandatory 2FA.


Mark Loundy (He, Him, His)

Instructional Technology Specialist
De Vargas Elementary School
Ignited Fellow
Google Certified Educator
Reply

Go to solution
SteveHarmon
Contributor
In response to MarkLoundy

‎12-15-2023 12:07 PM

If only I made the decisions - then this would not be an issue. But I get pushback from higher-ups whenever I push for 2FA for all staff. As I say often, "I'm just a teacher, playing the role of an EdTech, doing the job of an Admin". 😁

0 Kudos
Reply

Go to solution
MarkLoundy
Contributor II
In response to SteveHarmon

‎12-15-2023 12:12 PM

You need to put the fear of God into the upper management about what the stakes are. We did some tabletop gaming of a network intrusion and I played the role of network administrator. It was terrifying how quickly we got back to pencil and paper and hundreds of thousands of dollars to recover (sort of) from an attack caused by one person clicking on the wrong thing. And that doesn't include dealing with lawsuits over the exposure of confidential personal information.


Mark Loundy (He, Him, His)

Instructional Technology Specialist
De Vargas Elementary School
Ignited Fellow
Google Certified Educator
Reply

Go to solution
Kim_Nilsson
Admin Moderator

‎12-16-2023 04:13 AM

Official blog post about this change!

Sadly, it is buried in a weekly recap. (I mentioned in the Thursday DevRel Meet that important stuff should never be posted in the weekend recap, as they often deserve their own separate post - this one in particular!)

We have begun enforcing 2-step verification for all admin accounts 

https://workspaceupdates.googleblog.com/2023/12/release-notes-12-15-2023.html

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Go to solution
robbabiak
New Contributor III

‎12-18-2023 07:17 AM - edited ‎12-18-2023 07:25 AM

UPDATE: Just re-read properly what I was replying to above and see I was just repeating the point that was made and don't want to delete what I posted so just editing this post.

That weekly recap is fine - the issue I have is there are items that ONLY appear in that recap rather than having their own "regular" entries.

Reply

Go to solution
Kim_Nilsson
Admin Moderator
In response to robbabiak

‎12-18-2023 07:19 AM

That's my point.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines