Today our focus is on authentication settings. If you are using Google Workspace as your IDP, reviewing your authentication settings to ensure they align with internal policies and are appropriate for any use of Google Cloud Platform is paramount.
We recommend two important settings:
- Turn on two-factor authentication.Why? Two-factor authentication (2FA) adds an extra layer of security to your online accounts by requiring a second form of verification in addition to your password. This can be in the form of a code sent to your phone, a biometric scan, or a physical token. By using 2FA, you make it much harder for someone to gain unauthorized access to your accounts, even if they have your password. This is because a hacker would also need to have access to your second form of authentication in order to log in. Additionally, 2FA helps in cases where the password is compromised, and it’s a best practice for organizations to secure their online access.
- Enforce strong passwordsWhy? Weak passwords can be easily guessed or cracked by hackers using automated tools, making it easy for them to gain access to your accounts. A strong password typically contains a combination of uppercase and lowercase letters, numbers, and special characters, and is at least 12 characters long. The longer and more complex the password, the harder it is to crack. Using a unique password for each account is also important because if a hacker gains access to one password, they will not be able to use it to access your other accounts.
If your org is behind a third-party IDP, super admins will still use username/password and Google’s 2FA, so you will still want to ensure that settings are set properly.
To review these key settings, follow these steps:
- Sign in to the Google Admin Console
- Go to Security > Authentication
- Review Password Management to ensure that password policies are properly set. Consider requiring strong passwords to automatically set a secure default.
- Go to 2-Step Verification and check enforcement settings. If 2FA is not enforced, kick off a project to require it.
- If it’s on and all methods are allowed, look into whether it is feasible to disable verification codes over text and phone calls as those are more susceptible to attack.
- If your org uses GCP, check Google Cloud session controls to ensure that reauthentication is required. This way users cannot maintain a persistent connection to GCP resources without reauthentication.