← All controls

1 Enforce 2-Step Verification

Requires a second factor beyond the password for every sign-in. Two separate settings are involved: allowing users to enrol, and enforcement — which is the one that actually refuses a password-only sign-in. Restricting the accepted methods removes text-message and phone-call codes, the factors a SIM-swap or an interception attack defeats. This is the largest single defence against phished, reused and stuffed credentials.

Caveats

Setup steps

  1. open ↗ Security › Authentication › 2-Step Verification
    Allow users to turn on 2-Step Verification
    On

    Deploy 2-Step Verification ↗

  2. Security › Authentication › 2-Step Verification
    Enforcement
    On (optionally 'Turn on enforcement from date' with a new-user enrolment period)

    Deploy 2-Step Verification ↗

  3. Security › Authentication › 2-Step Verification
    Methods
    Any except verification codes via text, phone call

    Deploy 2-Step Verification ↗

  4. open ↗ Reporting › User Reports › Security
    2-Step Verification Enrollment
    Enrolled for every active user

    User reports: Security ↗

Ongoing maintenance

How to verify

  1. Enumerate enforcement per user with GAM — enrolment without enforcement still admits a password-only sign-in.

    gam print users fields primaryEmail,isEnrolledIn2Sv,isEnforcedIn2Sv
  2. Any row with isEnforcedIn2Sv=False outside the break-glass OU is a finding.

v0.0.3Prevent policy #8 · #3 ↗