# 1 Enforce 2-Step Verification

> v0.0.3 · role: Prevent · [policy: #8 · #3](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Requires a second factor beyond the password for every sign-in. Two separate settings are involved: allowing users to enrol, and enforcement — which is the one that actually refuses a password-only sign-in. Restricting the accepted methods removes text-message and phone-call codes, the factors a SIM-swap or an interception attack defeats. This is the largest single defence against phished, reused and stuffed credentials.

Documentation: [Protect your business with 2-Step Verification](https://knowledge.workspace.google.com/admin/security/protect-your-business-with-2-step-verification)

## Caveats

- Registering a factor is not enforcement — until Enforcement = On, a user can still sign in with a password only.
- Enforcing before enrolment is complete locks users out — use 'Turn on enforcement from date' plus an enrolment period, and keep the break-glass admin (№20) exempt in its own OU until backup codes are printed.
- 2SV does not close app-specific passwords or legacy protocols — a password alone still works over those paths until №33 shuts them.

## Setup steps

1. Select the target OU (organizational unit) in the left panel, then check the 'Allow users to turn on 2-Step Verification' box so users can enrol. — `Security › Authentication › 2-Step Verification`

   - **Allow users to turn on 2-Step Verification** = On

   docs: [Deploy 2-Step Verification](https://knowledge.workspace.google.com/admin/security/deploy-2-step-verification)

2. Set enforcement so a password alone can no longer complete a sign-in. — `Security › Authentication › 2-Step Verification`

   - **Enforcement** = On (optionally 'Turn on enforcement from date' with a new-user enrolment period)

   docs: [Deploy 2-Step Verification](https://knowledge.workspace.google.com/admin/security/deploy-2-step-verification)

3. Restrict the allowed second factors so SMS/voice codes are not accepted. — `Security › Authentication › 2-Step Verification`

   - **Methods** = Any except verification codes via text, phone call

   docs: [Deploy 2-Step Verification](https://knowledge.workspace.google.com/admin/security/deploy-2-step-verification)

4. Verify enrolment before enforcement bites: sort users by the 2SV enrolment column and chase the stragglers. — `Reporting › User Reports › Security`

   - **2-Step Verification Enrollment** = Enrolled for every active user

   docs: [User reports: Security](https://knowledge.workspace.google.com/admin/reports/user-reports-security)

## Ongoing maintenance

- **[automatable: script]** Weekly: diff the 2SV enrolment/enforcement export and chase new users who have not enrolled before their grace period ends.

## How to verify

1. Enumerate enforcement per user with GAM — enrolment without enforcement still admits a password-only sign-in.

   ```
   gam print users fields primaryEmail,isEnrolledIn2Sv,isEnforcedIn2Sv
   ```

2. Any row with isEnforcedIn2Sv=False outside the break-glass OU is a finding.

## Settings screens

- Security > Authentication > 2-Step Verification
  - console: https://admin.google.com/ac/security/2sv
  - screenshot: ../screenshots/admin.google.com/ac/security/2sv.png
- Reporting > User Reports > Security (2SV enrollment column)
  - console: https://admin.google.com/ac/reporting/report/user/security
  - screenshot: ../screenshots/admin.google.com/ac/reporting/report/user/security.png
