← All controls

38 Cloud session control + admin re-auth

Google Cloud sessions — the Cloud Console and gcloud/Cloud SDK — carry their own session policy, entirely separate from the Workspace web session. New Google Cloud customers get a 16-hour session length enforced by default, but older organizations may default to never requiring reauthentication — there, a stolen laptop or an exfiltrated token keeps working indefinitely. This forces re-authentication on a short timer (1 hour is the floor, 24 hours the ceiling), and the method matters: a password re-auth is defeated by a phished credential, a security key is not.

Caveats

Setup steps

  1. open ↗ Security › Access and data control › Google Cloud session control
    Reauthentication policy
    Require reauthentication
  2. Security › Access and data control › Google Cloud session control
    Reauthentication frequency
    1 hour
  3. Security › Access and data control › Google Cloud session control
    Reauthentication method
    Security key (where FIDO2 is deployed) rather than Password

How to verify

  1. Leave a gcloud/console session past the configured window, then run any privileged command — it must demand re-authentication.

    gcloud projects list  # after expiry: prompts for reauth

v0.0.3Prevent policy #3 · #29 ↗