This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Google Authenticator App and Password Changes

mpartenope4676
Contributor

‎04-26-2024 01:35 PM - edited ‎04-26-2024 01:46 PM

Happy Friday All! We enforced 2-step for our Staff this school year. Following the "How-to" we made, users were supposed to sign in to the authenticator app itself with a personal account or preferably none at all. Of course, no one reads, so most have signed in with the district account. What happens now, when a user changes their password, the Authenticator app stops working immediately and purges all of their codes. Is this expected behavior? Seems like a silly system if so. We then have to generate a backup code so the user can sign in and they have to set up the authenticator app anew. This is extra annoying because staff have two accounts needing codes in the app, so they then have to set BOTH up all over again. Are others encountering this? Any suggestions for a better method? 

0 Kudos
Reply
4 REPLIES 4

mpartenope4676
Contributor

‎04-26-2024 03:07 PM - edited ‎04-26-2024 03:12 PM

I doubled up and reached out to Google support and they said the following (Ironically, his first name was literally "Harsh": 

This is an expected behavior if you are using Google Authenticator method as the 2 step verification method. And that is why back up codes are used to get back access to the user accounts. I would advise you to use Google prompt sign in or verification codes via text to be set up as the 2 step verification method to avoid such disruptions which changing the passwords . You will see that there is no specific option for Authenticator app in the Admin Console. That is why, I am suggesting you to use Google prompt sign or verification codes via text to be used as the 2sv methods for the user accounts. 

He also shared this support doc when users need to transfer codes to a new device:

https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DAndroid&sjid=4763111278...

Definitely Harsh and a little disappointing. For us, users are reluctant to even have the app, let alone recieve texts!

OHHH and I found out I've been doing the 2 step enforcement wrong. I have the enforcement set to "On" and "Allow users to turn on 2-Step Verification" checked. He said I should uncheck and change it to "Off" once everyone is set up and use the "New user enrollment period" section to handle new user accounts. Sharing that here in case anyone else made that mistake. How I found out is I noticed a user DIDN'T have 2 step set up the other day, which made me question, "How is she signing in? The " On from" date we set has passed." That's when he answered me the above. 

0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to mpartenope4676

‎04-29-2024 01:10 AM

I wonder if that agent was pulling the answers from their favourite LLM/"AI" tool, because most of the information was/is wrong. 😞

You should definitely set 2FA to ON (no need for a period), and disallow SMS.

Yeah, users shouldn't sign into the app., unless you are prepared to support them when they change their password. However, staff changing their passwords should only happen when their account has been compromised, or if they have been away for a long time, and thereby forgotten it. In both cases the password change and the following mess is to be expected. Here I assume you don't have forced regular password changes since nobody should have that since summer of 2017, when NIST changed their policy and recommendations...

I also can't recommend the Prompt method. However convenient, it also only works when the user already can log into their account on the phone. Authenticator or security key are the only two good methods.

The reason I say you have "no need for a period" above is because all new staff should receive help on initial login, and nobody should be allowed to use their accounts at all without 2FA, for any period of time.

That should be the default thinking in an organisation that forces 2FA.

"Do, or do not. There is no try."

--
https://wheretofind.me/@NoSubstitute
Reply

mpartenope4676
Contributor

‎04-29-2024 09:08 AM

@Kim_Nilsson Thanks as ever for your insight. I was at work late on Friday and didn't make any changes nor really processed what the rep said other than regurgitating it onto here. If one unchecks the "Allow users to turn on 2-Step Verification" box, it turns off the whole setting, so yes, terrible advice in the end. That is frustrating. I will bring up the conversation about the NIST standards because people who get paid more than I are the ones saying users have to change on a periodic basis and it really would help if that went away! hehe Do you treat those with Super Admin accounts the same way? I'll discuss this with the powers that be. The few users who are mysteriously still allowed to login despite never having set up 2 step, I think I'm just going to clear their sign in cookies so they get in line already cause I can't think of what else to do!

0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to mpartenope4676

‎04-29-2024 11:59 AM

Definitely!

Superadmins are Yubikey holders, and not allowed to Trust Device, meaning that they have to use 2FA on every login, and are automatically logged out every day.

--
https://wheretofind.me/@NoSubstitute
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines