This article will attempt to answer the various queries from G Suite customers regarding the 2-step authentication using U2F following Google’s self-developed security key announcement.
2-step Authentication in G Suite
G Suite allows users to set up 2-step authentication to increase security when logging in; after entering the ID/password, they can set up 2-step authentication via SMS, Google Authenticator, push notification to Android, etc.
U2F keys, i.e., YubiKey, etc., have been available for a while. However, the option to make YubiKey mandatory was a paid G Suite Enterprise-only feature (despite various requests).
However, in March of this year, the option to make a U2F key for 2-step verification mandatory was finally extended to all G Suite plans※ .
Thus, G Suite Basic and Business users can enforce 2-step authentication using YubiKey in environments requiring advanced access control for corporate use.
※ G Suite Japanese Blog: https://gsuiteupdates-ja.googleblog.com/2018/04/3-g-suite-2.html
In line with this, the remainder of this article will guide how to set up 2-step authentication for G Suite using YubiKey.
Settings on the administrator's side
Permission for G Suite Admin will be needed to enforce the U2F device for 2-step authentication.
First, access the G Suite administration console and select Security.
Open Basic Settings.
One must turn it on if the 2-step verification process is not enabled. Check the box and click Save.
After enabling 2-step verification, click "To apply the 2-step verification process, please go to Advanced Settings" and the 2-step verification details.
If users apply these changes to an organization that includes the administrator themself, the administrator must have a security key registered. If so, please register a new key from the Google Account Management page (see below for instructions).
The security key is applied to the entire organization, including the administrator, by default.
To apply it to only a part of the organization, create a group in advance, and then select the group to use from the group filter on the left side of the screen.
Once one has decided what to apply, setting up the 2-step authentication can begin.
First, use the "Implementation" option to determine the application date.
This is an option for each user themselves to set the transition period during which they will register their 2-step verification factor.
In this case, select "Enable the application from the specified date.”
Also, set the registration period for new users to one month.
Next, limit the available 2-step verification process to security keys only to force them to log in with a device such as a YubiKey that uses U2F authentication, which has a higher security strength.
Finally, set the option for how often the 2-step verification process should be performed as it is an option to record the PC/browser where one logged in and not to complete the 2-step verification process next time.
In this case, select the option to ask for a security key each time one log in.
When all settings are done, click Save to reflect the settings.
User Settings
The next step is for each user to enable 2-step verification on their own.
After logging in with the user account, go to the Google Account Management page.
Login and Security
Click on the 2-step verification process.
This will start the 2-step verification process.
Click Next as the security key registration process begins.
The phone number verification screen will appear if non-administrator security keys are allowed in the 2-step verification process settings. In this case, one can register the security key by selecting the security key from the options listed.
Next, one will be prompted to insert a key. Once the YubiKey is plugged into the PC, the touch part of the YubiKey will blink.
Touch the YubiKey to complete registration. If necessary, set the name of the security key. Then, click "Allow" when the following confirmation appears.
When registration is complete, one will be asked to enter a name for the key. When registering multiple keys, it is best to use a different name.
Operation at login
This completes the setup. Log out of G Suite and log in again.
The 2-step authentication process, as shown below, can be seen.
Insert the YubiKey into the PC, and the touch part will blink. Touch it to complete the login.
Managing Security Keys
Users can manage their security key from the Google Account Management page > Login & Security > 2-step verification.
To add or remove a lost key, click here.
Of course, if a user has only one security key and loses it, the administrator will need to recover it.
In such cases, the G Suite administrator can add or remove the security key from the user details page.
Retrieving a backup code in case one needs to log in urgently is possible as well.※
※To use a backup key, the 2-step verification method needs to be set to "Unlimited."
This code can enable a single user to log in only once.
Conclusion
Using YubiKey to log in to G Suite allows users to enforce a robust 2-step authentication for others. Through 2-step authentication with YubiKey, there have been zero phishing attacks since the security key was introduced, and the Yubico Blog also talks of the improvements in terms of cost management and convenience.
For queries regarding the 2-step authentication, please contact us through the Contact page.