This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Students that use 2-Step

PatrickM
New Contributor II

‎07-26-2024 01:57 PM - edited ‎07-26-2024 02:20 PM

Within our division we enforce 2-Step for all non-student accounts, and leave it optional for all students. We have a few hundred of our junior and senior high students that have enabled this feature to protect their account, which is a good thing. I would personally like that number in the tens of thousands compared to the hundreds that we have now.

For the upcoming school year, our Government is moving to ban cellphones in classrooms.

So is there a way to allow our students to continue to have 2-Step enabled but if they are using a Chromebook or accessing their Google Workspace environment on our corporate network, they are not prompted for 2-Step.

I would like to have some type of 2-Step exception policy for our students when they are on our network, compared to disabling it totally. As I can foresee a huge uptake of 2-Step for students once they find out they can keep their cellphones at their desk, as the device will be needed for verification.


0 Kudos
Reply
6 REPLIES 6

Bill_Gibson
Contributor III

‎07-28-2024 02:11 PM

If you're using Chromebooks, my understanding is that 2 factor is built into the power button on most modern devices.

https://security.googleblog.com/2019/11/using-built-in-fido-authenticator-on.html?m=1#:~:text=Once%2....

0 Kudos
Reply

PatrickM
New Contributor II

‎07-29-2024 11:54 AM

That is true, and if the student used the same Chromebook from the cart each time it wouldn't be an issue. They would only be prompted for 2SV the first time using that device. But we all know that it is a free-for-all when it comes to retrieving a Chromebook from the cart in the classroom.

Too bad there was an exception policy bases on IP address, much like what Microsoft Entra ID has.

0 Kudos
Reply

kaned
Contributor II

‎07-30-2024 09:44 AM

We use a third party MFA which has many of those features.

I am unsure if Google has this built in.

0 Kudos
Reply

MattDPenn
Contributor II

‎07-31-2024 03:15 PM

If the chromebooks are being managed by you there is a setting that allows the chromebook to "trust" the user after the first time they use 2FA. Settings -> Device Settings -> Sign-In Screen -> "Always show user names and photos". We're going to be testing this ourselves for a handful of devices that our staff use so I don't know if it will occasionally request the 2FA handshake again but I was able to log in without using my 2FA key after the first log in, if I wipe the chromebook then I have to do 2FA on first login.

0 Kudos
Reply

PatrickM
New Contributor II
In response to MattDPenn

‎08-02-2024 07:36 AM

It does work, and we have no issues with Staff as they have been assigned a Chromebook or Chromebox.  They are prompted once, then all is fine afterwards. Unfortunately with our students, they do not always use the same Chromebook from the cart, so they will get prompted for MFA on the new device.

Guess we will wait and see how much of an issue this will be in a few weeks when school starts and students need to leave their phones at the front of the classroom.

0 Kudos
Reply

BrandonB
New Contributor II

‎08-04-2024 09:36 PM

I'm not aware of a method to IP filter 2FA prompting and don't think it exists. Other options are to use 2SV is to print recovery codes or use a hardware dongle. Good luck. It's happening in lots of places.

 

0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines