The Google for Education Community Platform

Kelly_McMahon · ‎11-14-2023

We am unable to add Google authenticator app as a 2fa method on our primary domain admin account. As a matter of fact, we cannot add a phone number for text verification codes either. The only option that seems to be available is to use a Google prompt on the Gmail or YouTube app. Is this expected behavior?

Kim_Nilsson · ‎11-14-2023

No, that's absolutely not the expected behaviour, but if you don't allow SMS in 2FA settings, and don't have security keys, it's going to be tricky to sign it up.

It's still possible, though, because as soon as you force 2FA for an account, any superadmin can create backup codes for it in the admin console.

--
https://wheretofind.me/@NoSubstitute

Kim_Nilsson · ‎11-14-2023

Another pro-tip... Never force 2FA for all admins before you have verified that they have working 2FA.😉

--
https://wheretofind.me/@NoSubstitute

Kim_Nilsson · ‎11-14-2023

Also, I can't stress this enough, it's definitely worth buying security keys for the superadmins! They should all have at least one, preferably two.

It's fine if they also have Authenticator or Prompt, but to be absolutely certain that you can always get in, you should also have a security.

I absolutely love my Yubikeys!

I have one USB-C and several USB-A (with and without NFC).

--
https://wheretofind.me/@NoSubstitute

Kelly_McMahon · ‎11-15-2023

Thanks! We are now working with Google support on this but will certainly also set up some security keys, too

The Google for Education Community Platform

MFA on primary admin account