Feature Request: Command to disable 2 Step Verification

1,430 views
Skip to first unread message

Ronald Nissley

unread,
Jun 20, 2016, 12:24:18 PM6/20/16
to Google Apps Manager
For account deprovisioning / migration purposes, a command to disable 2 Step Verification would be handy. It's easy to do from the Admin console, but it would be nice to include this in our GAM workflow.

Thank you!

Jay Lee

unread,
Jun 20, 2016, 12:27:43 PM6/20/16
to Google Apps Manager
There's no API to disable 2SV. However, you can show / regenerate backup codes for an account with:

gam user <email> show backupcodes

gam user <email> update backupcodes


Getting the codes and then sending them on to whoever needs to login to the account allows programmatic access to a 2SV account.

Jay

On Mon, Jun 20, 2016 at 12:24 PM Ronald Nissley <rnis...@gmail.com> wrote:
For account deprovisioning / migration purposes, a command to disable 2 Step Verification would be handy. It's easy to do from the Admin console, but it would be nice to include this in our GAM workflow.

Thank you!

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0fab0c0d-48a4-48d2-9908-e33d050680bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--

Jay

Kyle Varga

unread,
Jun 20, 2016, 2:53:52 PM6/20/16
to Google Apps Manager
Problem with this is that user's normally have phone as their 2-factor, so if needing to do this, user's still get codes text messaged to them. This is obviously normally post-employment and something that would be nice to avoid.

I know its not a GAM issue per say, just want people to be aware of that issue before just using the backupcodes. 


On Monday, June 20, 2016 at 11:27:43 AM UTC-5, Jay Lee wrote:
There's no API to disable 2SV. However, you can show / regenerate backup codes for an account with:

gam user <email> show backupcodes

gam user <email> update backupcodes


Getting the codes and then sending them on to whoever needs to login to the account allows programmatic access to a 2SV account.

Jay

On Mon, Jun 20, 2016 at 12:24 PM Ronald Nissley <rnis...@gmail.com> wrote:
For account deprovisioning / migration purposes, a command to disable 2 Step Verification would be handy. It's easy to do from the Admin console, but it would be nice to include this in our GAM workflow.

Thank you!

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
--

Jay

Graham Ingleby

unread,
Jun 27, 2016, 4:42:43 AM6/27/16
to GAM group
If you have changed the password, then even with the codes they still cannot sign in


 

 Graham Ingleby | Cloud Computing Consultant | +44 1344 203395 | ging...@ancoris.com

Google+      

Powered by Ancoris Signatures


On 20 June 2016 at 19:53, Kyle Varga <ky...@kylevarga.com> wrote:
Problem with this is that user's normally have phone as their 2-factor, so if needing to do this, user's still get codes text messaged to them. This is obviously normally post-employment and something that would be nice to avoid.

I know its not a GAM issue per say, just want people to be aware of that issue before just using the backupcodes. 

On Monday, June 20, 2016 at 11:27:43 AM UTC-5, Jay Lee wrote:
There's no API to disable 2SV. However, you can show / regenerate backup codes for an account with:

gam user <email> show backupcodes

gam user <email> update backupcodes


Getting the codes and then sending them on to whoever needs to login to the account allows programmatic access to a 2SV account.

Jay

On Mon, Jun 20, 2016 at 12:24 PM Ronald Nissley <rnis...@gmail.com> wrote:
For account deprovisioning / migration purposes, a command to disable 2 Step Verification would be handy. It's easy to do from the Admin console, but it would be nice to include this in our GAM workflow.

Thank you!

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
--

Jay

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/3e5913f2-b39a-4937-aea6-89fadfc2300f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


This message is for the named person's use only.  If you receive this message in error, please delete it and notify the sender.  Ancoris reserves the right to monitor all e-mail communications through its networks. Ancoris Limited, Registered in England Number: 04830784, Registered address: 5a Frascati Way, Maidenhead, Berkshire SL6 4UY. Trading Address: Lily Hill House, Lily Hill Road, Bracknell, Berkshire RG12 2SJ


EL

unread,
Jun 27, 2016, 3:27:28 PM6/27/16
to Google Apps Manager

Edward Warren

unread,
Aug 15, 2016, 2:41:26 PM8/15/16
to Google Apps Manager
I have confirmed that running deprovision and changing the password does not invalidate a users 2fa security tokens. 
I ran deprovision and changed password on a user. When I then try to login to google as that user with the new password I am presented with the user's original 2fa options, including option to get a text to their number or use google authenticator app. I confirmed that these security devices are in fact still valid and can be used to log in with the new password. Deprovision did run successfully as their backup codes and Oauth authorized apps were wiped. 

I think what the OP wants is to completely disable 2fa, while my goal is just to disable their 2fa devices thus allowing only super admins to get in using new backup codes and the new password. However, I think if I could turn off 2fa on a user but leave in an Org Unit that has the security policy of require 2fa for all users that I would then be achieving what I am looking for bc backup code would be required in order to log in. 
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
--

Jay

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
Reply all
Reply to author
Forward
0 new messages