In part one of this blog series, we looked at reasons to use Google's 2-Step Verification (2SV) system. In part two, we walked through the steps to enable 2SV in your own Google Account. Now, in this third and final post, we'll walk Google Apps administrators through enforcing 2SV in your Google Apps domain. If you haven't already done so, be sure to enable 2SV in your own account so that you have a good understanding of the process users will follow. You might also ask some of your more technically-inclined users to turn 2SV on in their accounts so that you have multiple people in your organization familiar with the process. Google allows administrators to enforce 2SV at the organization level. This allows you to require 2SV for all your users, or only certain sub-organizations of users. Additionally, you can create Google Groups of users and set them as exceptions to the default 2SV Setting for an organization, members of the defined group can be excluded from the 2SV policy of their organization. This provides you with maximum flexibility as you begin to enforce 2SV with your users. I recommend taking at least 2 weeks to implement 2SV enforcement for your users. Here's the plan: Prerequisites
Google's 2SV does not work when SAML SSO is enabled. If you're using SSO, either turn it off or investigate 3rd-party 2SV solutions that integrate with your SSO solution.
All of your Google Apps Administrators should have 2SV enabled and be comfortable with the process BEFORE you begin enforcing 2SV. This keeps you from getting locked out of your Google Apps domain.
A non-email method of contacting administrators or helpdesk should be clearly communicated ahead of time so that users are able to get assistance if they are locked out of their email account.
Step 1: Find Out Who's Already Using 2SV
The 2-Step Verification Enrollment Report
If you've had 2SV enabled in your domain for some time, you may already have users enrolled. Google provides you with a report listing all the users in your domain, whether they have 2SV enabled and whether 2SV is enforced for their account. To see the report, just login to your Google Apps Control Panel and Navigate to Reports -> Additional Reports. The "2-Step Verification Enrollment Report" is the last one on the page. I recommend downloading it and then uploading the file to Google Drive as a Spreadsheet for easy analysis.
Real-Time View of a User's 2SV Status
The report is generated every 24 hours so it doesn't quite give you a real-time view of who has 2SV enabled, but it is good for checking the progress of your users regularly while working to get everyone onboard. If you need to see the real-time 2SV status of a user, go to that user's account in the Control Panel and click on the security tab. It will show if they have 2SV enabled or disabled currently. Step 2: Create a Group of Users Who Don't Have 2SV Enabled We'll create a Google Group and add all our users that don't already have 2SV enabled (and who we want to enforce 2SV upon eventually) to the group. We'll use this group for two purposes:
To contact and remind users who have yet to turn 2SV on.
To exclude these users from the enforcement during the implementation period.
You might be beginning to understand our strategy now. We'll use the group to notify our users of the new 2SV requirement. As users enable 2SV in their account, they'll show in the 2SV enrollment report and we'll remove them from the group so that they don't get any more reminders and 2SV is enforced for their account.
Step 3: Turn on 2SV Enforcement
2SV Enforcement in the Google Apps Control Panel
With our group of excluded users ready, we can now safely turn on 2SV enforcement and exclude the group from enforcement to prevent lockout. In the Control Panel, navigate to Settings -> Security. You have the option of enforcing 2SV only on certain sub-organizations of users but in this example, we'll be enforcing 2SV for all users.
Excluding 2SV Enforcement for Our Group
Click on the top level organization to the left and click the Select button next to Group Filters on the right. Browse and find the 2SV exclusion group you created in the previous step. Now with that group selected (highlighted in blue), click the radio button to select "Turn off enforcement" (click the radio button even though it's already selected). What you are doing here is explicitly turning off 2SV enforcement for members of the group. Click "Save Changes" and you should notice that the "Inherited" text under Authentication changes to say "Locally applied" meaning that you've explicitly disabled 2SV enforcement for members of the group.
Enforcing 2SV By Default
Now with 2SV off for the group, we can safely turn it on for anyone else in the domain (which should be only users who have 2SV enabled and won't be locked out). Under "Group Filters", click "No admin groups selected." and then click "Turn on enforcement". Hit "Save changes" and 2SV will be enforced for all users in the domain who aren't a member of our exclusion group.
To confirm your settings are correct, toggle back over to your exclusion group and making sure "Turn off enforcement" is still set. Also, have a user who does not have 2SV enabled for their account yet log out and log back in to make sure they're not locked out.
Step 4: Communicate!
The importance of clearly communicating the new 2SV requirement to your users can't be over-emphasized. Be sure to talk about the positive sides (better security, simple process, help is available). Communications should be sent out to your 2SV group every 2-3 days as a reminder during the enforcement process. You may wish to have the communication sent out by a higher authority in the company than yourself so that users pay closer attention to the message. Since you're communicating via a Google Group, you can take advantage of the many features of the New Google Groups for Business. As an example, here's the communication we sent to users at Dito to notify them of the 2SV requirement, feel free to use it as a template for your own emails:
Subject: Important Notification: Mandatory 2-Step Verification for [COMPANY] Accounts
Our accounts at [COMPANY] often contain confidential and proprietary information. In order to enhance our current security, and safeguard our customers, all employees will be required to enable 2-step verification.
What is 2-step verification? In a nutshell, 2-step verification requires you to enter a code, in addition to your existing username and password, in order to access your account. Please take a few minutes to watch this brief overview of 2-step verification: Using 2-step Verification
How long do I have to enable this feature? Please enable 2-step verification for your account no later than [DUE DATE].
How do I set up 2-step verification? Setting up 2-step verification should take only 5-10 minutes.
Create application specific passwords to get your mobile devices and applications (i.e. Google Talk, Chrome sync) up and running.
What happens after [DUE DATE] if I don’t have 2-step enabled? You will be unable to access your [COMPANY] account. In order to regain access, you'll need to email [HELPDESK EMAIL] from a personal email account for a temporary code to regain access and enable 2SV.
Get Help If you have additional questions or need help, please send an email to [HELPDESK EMAIL].
Step 5: Monitor Progress
Now that users are aware of the requirement and have instructions, you should begin to see more users with 2SV enabled. You can check the 2SV Enrollment Report on a daily basis or only before sending another reminder to the 2SV exclusion group. After the report shows that a user has enabled 2SV for their account, you can safely remove them from the exclusion group.
As your deadline approaches, you may find some stragglers need additional reminders. Hopefully by now, the size of your group is small enough that more direct, personal communications with these users is possible. A phone call conversation can often be much more effective than an email. You may also want to increase the sense of urgency by reminding the user that they will be locked out of email if they don't act.
Step 6: Final Enforcement
The deadline has come and we're ready to enforce 2SV for all our users. If our communications have been effective and users have been responsive, this will be a non-event. However, you should prep your help desk for support calls about lockout if you find you still have users who haven't enrolled in 2SV. Google makes it fairly simple for help desk and administrators to handle locked out users. You should have some method in place to verify the person is who they say they are. Then the admin simply needs to open the Control Panel, search for the user and open the user's Security tab. Click the "Show backup verification codes" button and communicate one of the codes to the user. Using the code, the user should be able to login temporarily to their account and they should immediately walk through the 2SV enrollment process.
You might have some users who ultimately don't need 2SV enabled. This might include part-time volunteer workers or service accounts. If so, you can simply keep these users as members of the group long-term. If no users need to be excluded long-term, remove everyone from the exclusion group. Even though the group has no members, I recommend keeping it in place and available should you need to temporarily exclude a user from 2SV enforcement.
Best Practices
Have administrators using and familiar with 2SV before beginning enforcement. If you have a help desk, also consider having them enable it before organization-wide enforcement.
Communicate the plan clearly to your users. Provide clear channels for the users who need help or are locked out.
When making changes to the 2SV enforcement settings in the Control Panel, be sure to confirm the settings are functioning as you expect by logging into a user account separately.
Make sure administrators and helpdesk personnel are able to perform backup code lookup for users who are locked out. Have a policy in place for verifying the user is who they say they are before communicating the backup code.
Please enjoy this video on the overview of enabling, setting up, and enforcing two-step verification in Google Apps.
So are you planning to turn on 2SV enforcement for some or all of your users? Let us know your plans and how the process goes for your organization in the comments!
