Tag Archives: identity

Disable SMS or voice codes for 2-Step Verification for more secure accounts

What’s changing 

We’re adding an option for admins to disable telephony options as 2-Step Verification methods for G Suite accounts in their domain. This option will prevent their users from using SMS and voice codes for 2-factor authentication.

Who’s impacted 

Admins only

Why you’d use it 

There are many forms of 2-Step Verification—from text (SMS) message codes, to the Google Authenticator app, to hardware second factors like security keys. And while any second factor will greatly improve the security of your account, we’ve long advocated the use of security keys for those who want the strongest account protection.

As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations. The present release does just that - admins get a policy that can enforce the use of multi-factor authentication without permitting SMS and voice verification codes. 

This new policy gives admins more control over the security methods used in their domain, and increases the security of user accounts and associated data.

How to get started 


  • Admins: Apply the new policy by changing the setting at Admin console > Security > Advanced security settings > Allowed two step verification methods
  • End users: No action needed unless admin changes configuration. 

2-factor authentication options in the G Suite Admin console 


Additional details


How users can configure 2-Step Verification once the policy is enforced 
Users with the new policy applied will not be able to add SMS or voice based codes as an option - either when enrolling in 2-Step Verification for the first time or later at myaccount.google.com. A user enrolling in 2-Step Verification for the first time will see the screen below. This first provides an option to set up Google Prompt, as well as ‘Choose another option’ which will let them add a Security Key instead.


Avoid user sign-in issues 
Users affected by the new policy who have SMS/Voice as the only 2SV method on their account will not be able to sign in. To avoid this lock-out situation, see our Help Center to get tips for how to ensure a smooth transition to an enforcement policy.

Helpful links 



Availability 

Rollout details 
G Suite editions 
Available to all G Suite editions

On/off by default? 
The new policy is not enabled by default. Admin needs to explicitly choose to apply this policy on a OU / Group basis, like the other existing 2SV enforcement policies.

Stay up to date with G Suite launches

Secure LDAP now generally available to simplify the management of traditional applications

We’re making secure LDAP generally available. See our post on the Google Cloud Blog for the full announcement, or read a summary of what this means for G Suite organizations below.

Secure LDAP lets you manage access to traditional LDAP-based apps and IT infrastructure using the G Suite identity and access management (IAM) platform. This means organizations can use a single user directory to manage access to both SaaS apps and traditional LDAP-based apps and IT infrastructure, and users can use the same login credentials for more apps and services. The benefits to your organization can include:


  • Simpler administration: Manage applications and users in one place, decreasing complexity and cost for IT teams. 
  • Improved security: A single place to set up identity and access policies. 
  • Minimized legacy infrastructure: Reduce your dependency on legacy identity infrastructure such as Microsoft Active Directory. 


Using secure LDAP doesn’t change end user workflows—applications and IT infrastructure that use LDAP can be simply reconfigured to use the secure LDAP service.

Works with a wide range of apps and IT infrastructure 

Virtually any app that supports LDAP over SSL can work with secure LDAP, whether it’s hosted on-premises or in the cloud. We’re actively working with many companies to validate their apps for this use case, including Aruba Networks (HPE), Atlassian, itopia, JAMF, Jenkins (Cloudbees), OpenVPN, Papercut, pfSense (Netgate), Puppet, Softerra, Sophos, Splunk, and Synology.

For more information, see our Cloud Blog post on the announcement. You can also check out our Help Center for more details on how to get started with the secure LDAP service.

Launch Details 
Release track:
Launching to both Rapid Release and Scheduled Release

Editions: 
Available to G Suite Enterprise, G Suite Enterprise for Education, G Suite for Education, and Cloud Identity Premium editions only

Rollout pace: 
Gradual rollout (up to 15 days for feature visibility)

Impact: 
Admins only

Action: 
Admin action suggested/FYI

More Information
Help Center: About the Secure LDAP service
Google Cloud Blog: Cloud Identity now provides access to traditional apps with secure LDAP


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Changes to the Google sign-in interface coming soon

Starting November 27th, 2018, we’ll make some small changes to the appearance of the Google sign-in page. These follow changes made earlier this year, which updated the sign-in page to match the Material Design principles used in other Google products.

Specifically, you might notice outlines around some entry fields, and changes to the spacing and styling of other text on both the web and mobile screens. The changes will start to take effect on November 27th and may take up to two weeks to reach all users.

See the new sign-in UI 

Sign-in page that will start rolling out on November 27, 2018

Sign-in page prior to November 27, 2018


Launch Details 
Release track:
Launching to both Rapid Release and Scheduled Release 

Editions: 
Available to all G Suite editions

Rollout pace: 
Gradual rollout (up to 15 days for feature visibility)

Impact: 
All end users

Action: 
Change management suggested/FYI

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Update: new Google sign-in screen launching this week

Last month, we announced a new look for the Google sign-in screen. Unfortunately, due to unforeseen delays, we’re now rolling out the new design this week, with some minor changes.

Going forward, you may notice that when you sign in to your G Suite account, the screen looks slightly different. Some of the changes include tweaks to the Google logo and center alignment of all items on the screen. See below for before and after images.

Previous Google sign-in screen

New Google sign-in screen


Please note that the outline around the text field (mentioned in our previous announcement) will appear in the coming months.

We apologize for any convenience this delay and change may have caused.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

A new look for Google sign-in screens on June 14th

In 2014, we introduced Material Design, a visual language that helps developers create intuitive and beautiful products. Since then, we’ve steadily updated our G Suite apps to adhere to Material principles. Next week, we’ll bring this same design to Google sign-in screens.

Starting on June 14th, 2018, you may notice that when you sign in to your G Suite account, the screen looks slightly different. Some of the changes will include tweaks to the Google logo, an outline around the text field, and center alignment of all items on the screen. See below for before and after images.

Current Google sign-in screen with left-aligned text

Current Google sign-in screen

New Google sign-in screen with center-aligned text

New Google sign-in screen

If necessary, please provide your users advance notice of these changes.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release on June 14th, 2018

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Coming May 7th, 2018: A more secure sign-in flow on Chrome

If your organization uses SAML to sign users in to G Suite services*, those users will soon see an additional step in the process when using Chrome as their web browser. Starting on May 7th, 2018, after signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen will provide an additional layer of security and help prevent users from unknowingly signing in to an account created and controlled by an attacker.


To minimize disruption for the user, this feature will only be shown once per account per device. We’re working on ways to make the feature even more context-aware in the future, meaning your users should see the screen less and less over time.

Protecting against phishing attacks
This new screen is intended to prevent would-be attackers from tricking a user (e.g. via a phishing campaign) into clicking a link that would instantly and silently sign them in to a Google Account the attacker controls. Today, this can be done via SAML single sign-on (SSO), because it doesn’t require a user interaction to complete a sign-in. To protect Chrome users, we’ve added this extra protection.

Creating a consistent identity
This new security feature is part of a larger project to create a consistent identity across Google web services (like Gmail) and native Chrome browser services (like Chrome Sync). This consistency will make it easier for signed-in G Suite users to take advantage of native Chrome browser features, but it requires additional protection during authentication. This new screen adds that protection and reduces the probability that attackers successfully abuse SAML SSO to sign users in to malicious accounts.

Disabling the new screen
If you wish to disable the new screen for your organization, you can use the X-GoogApps-AllowedDomains HTTP header to identify specific domains whose users can access Google services. Users in those domains won’t see this additional screen, as we assume those accounts are trusted by your users. This header can be set in Chrome via the AllowedDomainsForApps group policy.


*This won't impact individuals who sign in to G Suite services directly and those who use G Suite or Cloud Identity as their identity provider. The screen is also not shown on devices running Chrome OS.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release on May 7th, 2018

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Receive Google prompts on iOS devices via the Gmail app

In 2017, we made Google prompt the primary choice for G Suite users turning on two-step verification for the first time. Back then, we noted that users with iOS devices would need to install the Google app in order to use the feature. Today, we’re making it possible for users with iOS devices to receive prompts via their Gmail app as well. This should encourage more people to use Google prompt, which is an easier and more secure method of authenticating an account.


Note that if users have both the Google and Gmail app installed on their iOS device, they’ll see prompts from Gmail.

For more information, visit the Help Center.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Help Center: Sign in faster with 2-Step Verification phone prompts

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Making Google prompt the primary choice for 2-Step Verification

In July, we began inviting users to try Google prompt as their 2-Step Verification (2SV) method, instead of SMS text messages. Google prompt is an easier and more secure method of authenticating an account, and it respects mobile policies enforced on employee devices.


With that in mind, we’re now making Google prompt the first choice when users turn on 2SV (previously, SMS was the primary choice). Once 2SV is enabled, users will still have the option to set up SMS, the Google Authenticator app, backup codes, or Security Keys as their alternative second step.


This will only impact users who have not yet set up 2SV. Current 2SV users' settings will be unaffected. In addition, if a user attempts to set up 2SV but doesn’t have a compatible mobile device, he or she will be prompted to use SMS as their authentication method instead.

Users can set up 2SV from their My Account page.

A few things to note:
  • A data connection is required to use Google prompt.
  • Users with iOS devices will need to install the Google app in order to use Google prompt.
  • G Suite Enterprise domains can choose to enforce Security Keys to meet more advanced security requirements.


Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Help Center: Sign in faster with 2-Step Verification phone prompts


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Increasing user undeletion window to 20 days

A top ask from G Suite admins, we’re now increasing the window of time to restore a deleted user from five to 20 days. This extended window can be especially helpful for customers who manage user accounts through an API or other automated sync tools.

Please note, only those with super admin permissions can restore a deleted user’s account. For the steps on how to restore a user in the Admin console, check out this Help Center article.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Full rollout (1–3 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: Restore a recently deleted user

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

8 swift steps G Suite admins can take to secure business data

(Cross-posted from The Keyword)

Security doesn’t have to be complicated. With G Suite, admins can manage and help protect their users with minimal effort because we've designed our tools to be intuitive—like Vault, which helps with eDiscovery and audit needs, and data loss prevention, which helps ensure that your “‘aha”’ moments stay yours. Here are some key security controls that you can deploy with just a few clicks to get more fine-grained control of your organization's security.

1. Enable Hangouts out-of-domain warnings
If your business allows employees to chat with external users on Hangouts, turn on a setting that will show warnings to your users if anyone outside of your domain tries to join a Hangout, and split existing group chats so external users can’t see previous internal conversations. This substantially reduces the risk of data leaks or falling prey to social engineering attacks. (Admin console > Apps > G Suite > Google Hangouts > Chat settings > Sharing options)


2. Disable email forwarding
Exercising this option will disable the automatic email forwarding feature for users, which in turn helps reduce the risk of data exfiltration in the event a user’s credentials are compromised. (Admin console > Apps > G Suite > Gmail > Advanced settings)



3. Enable early phishing detection
Enabling this option adds further checks on potentially suspicious emails prior to delivery. Early phishing detection utilizes a dedicated machine learning model that selectively delays messages to perform rigorous phishing analysis. Less than 0.05 percent of messages on average get delayed by a few minutes, so your users will still get their information fast. (Admin console > Apps > G Suite > Gmail > Advanced settings)


4. Examine OAuth-based access to third-party apps
OAuth apps whitelisting helps keep company data safe by letting you specifically select which third-party apps are allowed to access users’ G Suite data. Once an app is part of a whitelist, users can choose to grant authorized access to their G Suite apps data. This helps to prevent malicious apps from tricking people into accidentally granting access to corporate data. (Admin console > Security > G Suite API Permissions)


5. Check that unintended external reply warning for Gmail is turned on
Gmail can display unintended external reply warnings to users to help prevent data loss. You can enable this option to ensure that if your users try to respond to someone outside of your company domain, they’ll receive a quick warning to make sure they intended to send that email. Because Gmail has contextual intelligence, it knows if the recipient is an existing contact or someone your users interact with regularly, so it only displays relevant warnings. This option is on by default. (Admin console > Apps > G Suite > Gmail > Advanced settings)


6. Restrict external calendar
To reduce the incidence of data leaks, make sure that Google Calendar details aren’t shared outside your domain. Limiting sharing to “free” or “busy” information protects you from social engineering attacks that depend on gleaning information from meeting titles and attendees. (Admin console > Apps > G Suite > Calendar > Sharing settings)


7. Limit access to Google Groups
By setting default Google group access to private, you can limit external access to information channels that may contain confidential business information, like upcoming projects. (Admin console > Apps > G Suite > Groups for Business > Sharing settings)


8. Set Google+ access restrictions
Make the default sharing setting for Google+ restricted and disable discoverability of Google+ profiles outside your domain. Both of these actions can help you control access to critical business information. (Admin console > Apps > G Suite > Google+ > Advanced settings)





Every company has their own unique set of business requirements that need to work in rhythm with their security requirements. By evaluating and implementing some of these suggested security controls, you can make a marked difference in your company’s security posture—with just a few clicks. See this post for other security tips.


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates