Control: 4.1.1.3 (L1) Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users
Description
Enforce 2-Step Verification (Multi-Factor Authentication) for all users.
Add an extra layer of security to users accounts by asking users to verify their identity when they enter a username and password. 2-Step Verification (Multi-factor authentication) requires an individual to present a minimum of two separate forms of authentication before access is granted. 2-Step Verification provides additional assurance that the individual attempting to gain access is who they claim to be. With 2-Step Verification, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Remediation
To configure this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.com
as an administrator. - Select
Security
. - Select
2-Step Verification
. - Under
Authentication
,check
-Allow users to turn on 2-Step Verification
. - Set
Enforcement
toOn
. - Set
New user enrollment period
to2 weeks
. - Under
Frequency
,uncheck
-Allow user to trust device
. - Under
Methods
,select
-Any except verification codes via text, phone call
. - Select
Save
.
Default Value
Allow users to turn on 2-Step Verification
ischecked
Enforcement
isOff
New user enrollment period
isNone
Frequency
-Allow user to trust device
ischecked
Methods
isAny
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_4_1_1_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_4_1_1_3 --share
SQL
This control uses a named query:
select primary_email as resource, case when is_enrolled_in_2sv = false then 'alarm' when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then 'info' else 'ok' end as status, case when is_enrolled_in_2sv = false then format('User %s is not enrolled in 2-Step Verification%s.', primary_email, case when is_admin then ' (ADMIN)' else '' end) when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then format('User %s has 2FA enrolled but not enforced%s.', primary_email, case when is_admin then ' (ADMIN)' else '' end) else format('User %s has 2-Step Verification properly configured%s.', primary_email, case when is_admin then ' (ADMIN)' else '' end) end as reasonfrom googledirectory_userorder by is_admin desc, is_enrolled_in_2sv asc, primary_email;