Is there a way to reset the 2SV grace period for a user?

[Ron]

I would like to be able to reset the 2SV enforcement/enrollment grace period for a user, if/when they forget/neglect to enroll before the grace period expires. GAM doesn't appear to offer an option for this...probably because there is no Workspace API provision for it. I thought I would still put this out here in case some enterprising Workspace admin has found a clever (not officially supported) way to do this in GAM and/or Workspace Admin.

I would find resetting the grace period preferable to generating backup codes and providing one or more backup codes to the user, or some other comparable workaround.

[Jay Lee]

You would need to do the testing to confirm but I suspect moving the user to an OrgUnit where 2SV is not enforced and then back in to the enforced OU would reset the grace period.

Jay Lee

On Wed, Sep 28, 2022 at 3:27 PM Ron <ronald....@emm.org> wrote:

I would like to be able to reset the 2SV enforcement/enrollment grace period for a user, if/when they forget/neglect to enroll before the grace period expires. GAM doesn't appear to offer an option for this...probably because there is no Workspace API provision for it. I thought I would still put this out here in case some enterprising Workspace admin has found a clever (not officially supported) way to do this in GAM and/or Workspace Admin.

I would find resetting the grace period preferable to generating backup codes and providing one or more backup codes to the user, or some other comparable workaround.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/1e3fb921-d392-45c3-92e8-09bcf0e2d8b6n%40googlegroups.com.

[Ronald Nissley]

Thank you, Jay! That sounded promising, but doesn't seem to work.

• Created an OU, overriding 2SV policy, leaving the option enabled to Allow users to turn on 2-Step Verification, but setting Enforcement to Off.
• Moved a test user (not 2SV enrolled) to the new OU, waited until gam info showed 2-Step is not enforced, then moved the user back to the original OU. Sign on attempt failed with a "settings don't meet 2SV policy" message.
• Updated the new OU 2SV policy to disable 2SV altogether...disabled Allow users to turn on 2-Step Verification...then moved the test user to/from the OU and tried signing on again. Sign on failed with the same message.

[Jay Lee]

What I usually recommend is just generating some backup codes for the user that they can use to get in and then they should immediately setup 2sv:

https://github.com/GAM-team/GAM/wiki/SecurityExamples#generate-new-backup-codes-for-users

Jay Lee

--

You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAL8hzoQ63J9O9qMBXuR0f8kUEi6xjqcENStHvOpgjCO6_e3uBw%40mail.gmail.com.