Enforce uniform MFA to company-owned resources

Business problem

Compromised passwords are a major source of data breaches. Once a password is compromised, the hacker has the same permissions to access corporate data as the employee.

Multifactor authentication (MFA) is an important tool in protecting corporate resources. MFA, also called 2-step verification (2SV), requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code).

To protect user accounts and data, your company has decided that all users must authenticate themselves using 2SV to access corporate resources.

Solutions

If Cloud Identity is your identity provider (IdP), you can implement 2SV in several ways. If you use a third-party IdP, check with them about their 2SV offering.

You can select different levels of 2SV enforcement:

  • Optional—employee decides if they will use 2SV.
  • Mandatory—employee chooses the 2SV method.
  • Mandatory security keys—employee must use a security key.

Security keys

Security keys offer the strongest 2SV method.

Using security keys offers the strongest security among 2SV methods. Users typically insert this physical key into a USB port on a computer. When prompted, a user touches the key and it generates a cryptographic signature.

Some scammers set up phishing sites that pose as Google and ask for 2SV codes. Because Google security keys use encryption and verify the legitimacy of the sites users visit, security keys are less prone to phishing attacks.

To use a security key with Android mobile devices, a user taps the security key on their Near Field Communication (NFC) device. Users can also find USB and Bluetooth Low Energy (BLE) options for Android devices. Apple mobile devices need Bluetooth-enabled security keys.

Google prompt

Google Prompt is an alternative 2SV method.

Instead of generating and entering a 2SV code, users can set up their Android or Apple mobile devices to receive a sign-in prompt. When they sign in to their Google Account on their computer, they get a "Trying to sign in?" prompt on their mobile device. They simply confirm by tapping their mobile device.

Google Authenticator app

Google Authenticator is an alternative 2SV method.

Google Authenticator generates single-use 2SV codes on Android or Apple mobile devices. Users generate a verification code on their mobile device and enter it when prompted on their computer. They can enter it to sign in to a desktop, laptop, or even the mobile device itself.

Backup codes

Backup codes are an alternative 2SV method.

In the event a user is away from their mobile device or works in a high-security area where they can't carry mobile devices, they can use a backup code for 2SV. Users can generate backup verification codes and print them ahead of time.

Text message or phone call

Text messages or phone calls are alternative 2SV methods.

Google sends a 2SV code to mobile devices in a text message or voice call.

Recommendations

You'll need to balance security, cost, and convenience in deciding which 2SV alternatives are best for your company. Regardless of which alternatives you select, we recommend enabling 2SV enforcement. This makes 2SV mandatory.

Use security keys

We recommend requiring security keys for those employees who create and access data that needs the highest level of security. You should require 2SV for all other employees and encourage them to use security keys.

Security keys offer the most secure form of 2SV. They are based on the open standard developed by Google as part of the Fast Identity Online (FIDO) Alliance. Security keys require a compatible browser on user devices.

Other options

If cost and distribution are factors in your decision, a Google prompt or the Google Authenticator app are good alternatives. A Google prompt provides a better user experience, because users simply tap their device when prompted instead of entering a verification code.

If your users can't carry mobile devices, they can generate printable backup codes to take into high-security areas.

We recommend against using text messages. The National Institute of Standards and Technology (NIST) no longer recommends SMS-based 2SV due to the hijacking risk from state-sponsored entities.

Example

Company A is a large and well-established enterprise company that uses on-premises apps and authentication. To implement increased security, lower support costs, and boost scalability, they want to move to Cloud Identity as their primary IdP.

The company adopted a mandate to roll out an IDaaS offering for managing its cloud presence, which requires rolling out 2SV and completing compliance by a certain date. The Infosec team is requiring 2SV for all users.

Company A decides to use Cloud Identity to implement 2SV. They plan to make security keys mandatory for those users who work on the most sensitive and business-critical company initiatives—and also for those who access employee information. This includes executives in all organizations and people in the engineering, finance, and human resources organizations. All other employees are required to use 2SV. They can select the 2SV method that suits them best and are encouraged to use security keys.

Security key enforcement varies by organization.

To require security keys only for certain groups, IT creates subsets of users within larger organizations called exception groups. For example, the entire Marketing organization is required to use 2SV, but only the executives must use security keys. IT creates an executive group inside each organization, such as marketing, sales, support, and enforces security keys on those executive groups.