Enforce uniform MFA for access to company-owned resources

Business problem

Compromised passwords are a major source of data breaches. Once a password is compromised, the hacker has the same permissions to access corporate data as the employee whose password was broken.

Multi-factor authentication (MFA) is an important tool in protecting corporate resources. MFA is also called 2-Step Verification (2SV). 2SV requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code).

To protect user accounts and data, your company has decided that all users must authenticate themselves using 2SV to access corporate resources.

Solutions

If Cloud Identity is your Identity provider (IdP), there are several ways you can implement 2SV. If you use a third-party IdP, check with them about their 2SV offering.

There are several 2SV methods, and you can also select different levels of 2SV enforcement:

  • Optional—employee decides if they will use 2SV.
  • Mandatory—employee chooses the 2SV method.
  • Mandatory security keys—employee must use a security key.

Security keys

Security keys offers the strongest 2SV method.

Using security keys offers the strongest security among 2SV methods. It's a physical key that users usually insert into a USB port on a computer. When prompted, a user touches the key and it generates a cryptographic signature.

Some scammers set up phishing sites that pretend to be Google and ask for 2SV codes. Because Google security keys use encryption, and they verify that the user is on a legitimate site, security keys are less prone to phishing attacks.

For Android mobile devices, a user taps a security key on their device to use the key. Near Field Communication (NFC) has to be enabled on the mobile device. USB and Bluetooth Low Energy (BLE) options are also available for Android devices. Apple mobile devices need Bluetooth-enabled security keys.

Google Prompt

Google Prompt is an alternative 2SV method.

Instead of generating and entering a 2SV code, users can set up their Android or Apple mobile devices to receive a sign-in prompt. When they sign in to their Google Account on their computer, they get a "Trying to sign in?" prompt on their mobile device. They simply confirm by tapping their mobile device.

Google Authenticator app

Google Authenticator is an alternative 2SV method.

Google Authenticator generates 2SV codes on Android or Apple mobile devices. A verification code can be used one time only. Users generate a verification code on their mobile device and enter it when prompted on their computer. This computer can be a desktop or laptop, or even the mobile device itself.

Backup codes

Backup codes are an alternative 2SV method.

In the event a user is away from their mobile device or is working in a high-security area where they can't carry mobile devices, they can use a backup code for 2SV. Users can generate backup verification codes and print them ahead of time.

Text message or phone call

Google Prompt is an alternative 2SV method.

Google sends a 2SV code to mobile devices in a text message or voice call.

Recommendations

You'll need to balance security, cost, and convenience in deciding which 2SV alternatives are best for your company. Regardless of which alternatives you select, we recommend enabling 2SV enforcement. This makes 2SV mandatory.

Use security keys

We recommend requiring security keys for those employees who create and access data that needs the highest level of security. You should require 2SV for all other employees and encourage the use of security keys.

Security keys are the best 2SV method, because they offer the most secure form of 2SV. They are based on the open standard developed by Google as part of the Fast Identity Online (FIDO) Alliance. Security keys require a compatible browser on user devices.

Other options

If cost and distribution are factors in your decision, Google Prompt or the Google Authenticator app are good alternatives. Google Prompt provides a better user experience, because users simply tap their device when prompted instead of entering a verification code.

If your users can't carry mobile devices, they can generate printable backup codes to take into high-security areas.

We recommend against using text messages. The National Institute of Standards and Technology (NIST) no longer recommends SMS-based 2SV due to the hijacking risk from state-sponsored entities.

Example

Company A is a large and well-established enterprise company that uses on-premises applications and authentication. To implement increased security, lower support costs, and scalability, they want to move to Cloud Identity as their primary IdP.

The company has a mandate to roll out an IDaaS offering for managing its cloud presence, which requires rolling out 2SV and complete compliance within a certain date. The Infosec team is requiring 2SV for all users.

Company A decides to use Cloud Identity to implement 2SV. They plan to make security keys mandatory for those users who work on the most sensitive and business-critical company initiatives, and also for those who access employee information. These employees include executives in all organizations and people in the engineering, finance, and human resources organizations. All other employees are required to use 2SV, and they can select the 2SV method that suits them best but are encouraged to use security keys.

Security key enforcement varies by organization.

To require security keys only for certain groups, IT creates subsets of users within larger organizations called exception groups. For example, the entire Marketing organization is required to use 2SV but only the executives must use security keys. IT creates an executive group inside each organization, such as Marketing, Sales, Support, and enforces security keys on those executive groups.