Trusted devices under Muti-factor authentication
Rance Hall
All:
Our insurance provider is requiring all accounts with email addresses to be protected with either 2-factor auth or a walled-garden (in the case of students)
We’ve been advising that students be behind a walled-garden, and staff get 2factor set to be required.
Some questions have come up regarding trusted devices. Google support tells me that a trusted device doesn’t ask for the second factor for as long as it is trusted, and that may not be allowed by insurance.
How feasible would be be to find all trusted devices in a domain and remove their trust on a bi-weekly or monthly basis?
--
Rance Hall
Application Specialist
ESU 10
Some days are better, some days are worse.
Look for the blessing instead of the curse.
Jay Lee
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/DM8PR06MB7717FA9A726C7ADB2153414B90259%40DM8PR06MB7717.namprd06.prod.outlook.com.
Rance Hall
Jay, et al.
Ideally, we would be allowed to trust a device with an expiration (30 days?) requiring the 2nd factor to be re-used to gain entry, then retrusted for an additional time sequence (30 days?). All of this of course being automatic. Google’s permanency of trusted status is the issue, and there is no way to dynamically schedule re-trusting the device.
This is the model used by many of the web services we interact with and find that this is easily justifiable.
Your point toward usability is well taken, and I’m aware that we can turn it off, but we would rather allow it with a time sensitivity. Since google doesn’t give us that, it seems like a reasonable approach to at least consider systematically removing trust and allowing the user to re-establish it.
Thus retired devices eventually get un-trusted.
R
--
Rance Hall
Application Specialist
ESU 10
Some days are better, some days are worse.
Look for the blessing instead of the curse.
From:
google-ap...@googlegroups.com <google-ap...@googlegroups.com> on behalf of Jay Lee <jay...@gmail.com>
Date: Monday, January 31, 2022 at 11:29 AM
To: google-ap...@googlegroups.com <google-ap...@googlegroups.com>
Subject: Re: [GAM] Trusted devices under Muti-factor authentication
[EXTERNAL EMAIL]
First off, I would clarify this point with your insurer's requirements. Not allowing trusted devices is a a major knock against usability for end users. Trusted device can still be considered a 2nd factor (something you know == password and something you have == the trusted device).
Having said that, rather than trying to remove trusted devices, you can just turn the ability to trust off completely in admin console (again, at a cost of usability for your users):
Jay Lee
On Mon, Jan 31, 2022 at 11:25 AM 'Rance Hall' via GAM for Google Workspace <google-ap...@googlegroups.com> wrote:
All:
Our insurance provider is requiring all accounts with email addresses to be protected with either 2-factor auth or a walled-garden (in the case of students)
We’ve been advising that students be behind a walled-garden, and staff get 2factor set to be required.
Some questions have come up regarding trusted devices. Google support tells me that a trusted device doesn’t ask for the second factor for as long as it is trusted, and that may not be allowed by insurance.
How feasible would be be to find all trusted devices in a domain and remove their trust on a bi-weekly or monthly basis?
--
Rance Hall
Application Specialist
ESU 10
Some days are better, some days are worse.Look for the blessing instead of the curse.
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/DM8PR06MB7717FA9A726C7ADB2153414B90259%40DM8PR06MB7717.namprd06.prod.outlook.com.
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp_2vG9kyJG%2B%3DqDF9KEgV6jv-CxEhZ5gyLqc80VsoR-sFQ%40mail.gmail.com.