Stronger Admin console protection with risk-based re-authentication challenges

What’s changing 

In August 2022, we announced strengthened safeguards for sensitive actions taken in your Google Workspace end users accounts. Specifically, this update protected users from bad actors taking over accounts via cookie theft. Beginning today, we’re extending this protection to the Admin console. 


Currently, the Admin console prompts users to re-authenticate every hour. We are extending our current protections with additional signals to detect potential cookie theft. If a risky session is detected, we will issue extra challenges such as mobile notifications or the use of a security key. Once the user has successfully verified, they’ll be directed back to the admin page they came from. 



Who’s impacted 

Admins 


Why it’s important 

This added layer of security helps to intercept bad actors who have gained access to the Admin console using a stolen cookie. Cookie theft is a session hijacking technique whereby accounts can be accessed by exploiting cookies stored in the browser. 


The additional “Verify it’s you” challenges help ensure only authorized users are accessing your organization’s sensitive information and data, preventing bad actors from taking damaging actors. Further, these challenge attempts will be logged as Admin log events allowing for further admin investigation. 



Additional details 

To avoid situations where a bad actor has a cookie that marks a device as trusted, admins can configure a device to be trusted based upon login. 




If an admin gets legitimately stuck trying to access the Admin console, other admins can temporarily turn off login challenges, including additional log-in challenges. We strongly recommend only using this option if contact with the user is credibly established, such as via a video call. 



Getting started 


Rollout pace 


Availability 

  • Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers 

Resources