# 43 Hardware-key break-glass super-admin

> v0.0.2 · role: Prevent · [policy: #17 · #13](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

The [20 Break-glass admin + offline backup codes](breakglass-admin.md) account's second factor is a hardware security key that lives in a sealed safe — never in a drawer, never in daily use. Registering the key is the easy part: the control is the custody around it, so the key is removed only in a witnessed ceremony and any authentication with it fires an alert, because an account nobody uses has no legitimate sign-in.

Documentation: [Security best practices for administrator accounts](https://knowledge.workspace.google.com/admin/users/security-best-practices-for-administrator-accounts) · [Manage a user's security settings](https://knowledge.workspace.google.com/admin/security/manage-a-users-security-settings)

## Caveats

- Registering the key is not the control — the control is that it lives in a sealed safe, is never used for daily work, and its use raises an alert.
- Offline FIDO2 custody is a physical procedure with no console surface — the settings it depends on (2SV enforcement, security-key-only methods) are №1 and №7, and without them the key is merely one option among several.

_Process control — carried out offline; no Admin Console walkthrough._

## Ongoing maintenance

- **[requires a human]** Quarterly: repeat the retrieval-and-sign-in drill; check seal integrity between drills.

## How to verify

1. Run the drill: retrieve the sealed key, sign in with it, confirm super-admin access, then re-seal. Log the drill with witnesses per the custody rules.
