Tag Archives: Accounts

Coming May 7th, 2018: A more secure sign-in flow on Chrome

If your organization uses SAML to sign users in to G Suite services*, those users will soon see an additional step in the process when using Chrome as their web browser. Starting on May 7th, 2018, after signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen will provide an additional layer of security and help prevent users from unknowingly signing in to an account created and controlled by an attacker.


To minimize disruption for the user, this feature will only be shown once per account per device. We’re working on ways to make the feature even more context-aware in the future, meaning your users should see the screen less and less over time.

Protecting against phishing attacks
This new screen is intended to prevent would-be attackers from tricking a user (e.g. via a phishing campaign) into clicking a link that would instantly and silently sign them in to a Google Account the attacker controls. Today, this can be done via SAML single sign-on (SSO), because it doesn’t require a user interaction to complete a sign-in. To protect Chrome users, we’ve added this extra protection.

Creating a consistent identity
This new security feature is part of a larger project to create a consistent identity across Google web services (like Gmail) and native Chrome browser services (like Chrome Sync). This consistency will make it easier for signed-in G Suite users to take advantage of native Chrome browser features, but it requires additional protection during authentication. This new screen adds that protection and reduces the probability that attackers successfully abuse SAML SSO to sign users in to malicious accounts.

Disabling the new screen
If you wish to disable the new screen for your organization, you can use the X-GoogApps-AllowedDomains HTTP header to identify specific domains whose users can access Google services. Users in those domains won’t see this additional screen, as we assume those accounts are trusted by your users. This header can be set in Chrome via the AllowedDomainsForApps group policy.


*This won't impact individuals who sign in to G Suite services directly and those who use G Suite or Cloud Identity as their identity provider. The screen is also not shown on devices running Chrome OS.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release on May 7th, 2018

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Receive Google prompts on iOS devices via the Gmail app

In 2017, we made Google prompt the primary choice for G Suite users turning on two-step verification for the first time. Back then, we noted that users with iOS devices would need to install the Google app in order to use the feature. Today, we’re making it possible for users with iOS devices to receive prompts via their Gmail app as well. This should encourage more people to use Google prompt, which is an easier and more secure method of authenticating an account.


Note that if users have both the Google and Gmail app installed on their iOS device, they’ll see prompts from Gmail.

For more information, visit the Help Center.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Help Center: Sign in faster with 2-Step Verification phone prompts

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Increasing user undeletion window to 20 days

A top ask from G Suite admins, we’re now increasing the window of time to restore a deleted user from five to 20 days. This extended window can be especially helpful for customers who manage user accounts through an API or other automated sync tools.

Please note, only those with super admin permissions can restore a deleted user’s account. For the steps on how to restore a user in the Admin console, check out this Help Center article.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Full rollout (1–3 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: Restore a recently deleted user

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Better experience for SMS 2-Step Verification users with Google prompt

In February 2017, we revamped Google prompt for 2-Step Verification (2-SV), giving users a better option to keep their accounts safe. In addition to offering 2-SV over an encrypted connection, Google prompt also allows users to block unauthorized access to their account with real-time security information about the login attempt.

Starting next week, 2-SV SMS users will see an invitation to try Google prompts when they sign in. The invitation will give users a way to preview the new Google prompts sign in flow instead of SMS, and, afterward, choose whether to keep it enabled or opt-out.
Overall, this is being done because SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers. By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection.
Notes:
  • The notifications to test Google prompts will be shown only to 2-SV SMS users. Security key users are unaffected by this change.
  • A data connection is required to use Google prompt.
  • iOS users will need the Google Search app installed on their phone to use Google prompt.
  • Enterprise edition domains also have the ability to enforce security keys for more advanced security requirements.
  • While users may opt out of using phone prompts when shown the promotion, users will receive follow-up notifications to switch after 6 months.
Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Help Center: Sign in faster with 2-Step Verification phone prompts

Enterprise Identity made easy in G Suite with Cloud Identity

Posted by Zack Ontiveros, Product Manager, Google Cloud Identity

As an IT administrator, you want to be confident that your users are secure when accessing online services. Millions of G Suite customers already rely on Google Cloud's identity services to secure their online identities with tools like single sign-on, multi-factor authentication, and mobile device management. However, many G Suite organizations have users who do not require G Suite but still need a secure, online identity.

Introducing Cloud Identity support in G Suite
Today we are happy to announce the availability of a new free Cloud Identity license for G Suite customers, which enables your non-G Suite users to get access to Google Cloud's identity services. Using Cloud Identity, you can easily create a unified sign-on for all your users across all enterprise cloud apps, set basic mobile device policies, and enforce multi-factor authentication with security keys.

Once you enable Cloud Identity in your Google Admin console, you will be able to create Cloud Identity users in all the ways you create G Suite users; the only difference is that you will not assign these users a G Suite license.



Try it today
To start using Cloud Identity, head to the Billing page in the Google Admin console. Here you will see a new Cloud Identity card under the "Enable Products" section. Once you enable the Cloud Identity subscription, you will be able to start creating free users without G Suite. For more information, check out our Getting Started Guide for G Suite admins.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release
Note: If your domain has been provisioned or you have a billing relationship with a GSuite reseller, an onboarding flow is planned so that your reseller can add Cloud Identity subscriptions to your G Suite domain. This feature will launch in the coming weeks.

Editions:
Available to G Suite Basic, Business, and Enterprise edition domains

Rollout pace:
Gradual rollout (up to 7 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center

In addition to other apps, G Suite administrators can now automatically provision users to Asana, Dialpad, Freshdesk, Lucidchart, RingCentral, and Smartsheet

When auto-provisioning is enabled for a supported third-party application, any users created, modified, or deleted in G Suite are automatically added, edited, or deleted in the third-party application as well. This feature is highly popular with admins, as it removes the overhead of managing users across multiple third-party SaaS applications.

Today we’re adding auto-provisioning support for six new applications: Asana, Dialpad, Freshdesk, Lucidchart, RingCentral, and Smartsheet. We previously launched auto-provisioning support for Box Enterprise, Salesforce Sandbox, Salesforce, Slack, and Workplace by Facebook, bringing the total number of supporting applications to 11.

G Suite Business, Education, and Enterprise customers can enable auto-provisioning for all eight supported applications. G Suite Basic, Government, and Nonprofit customers can configure auto-provisioning for up to three applications from the supported list. For specific details on how to set up auto-provisioning, check out the Help Center.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:

  • G Suite Basic, Government, and Nonprofit customers can enable auto-provisioning for up to three applications
  • G Suite Education, Business, and Enterprise customers can enable auto-provisioning for all supported applications


Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: Automated user provisioning (instructions for Smartsheet, Dialpad, and RIngcentral to be added soon)
Help Center: Using SAML to set up federated SSO


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Upcoming changes to Brazilian account recovery and 2SV phone numbers for G Suite users

As the number of global mobile phone users continues to grow, countries have begun modifying their existing telephone numbering plans in order to expand the set of available phone numbers. When this happens, all impacted phone users gain a modified or appended digit on their mobile or landline phone numbers. After a period of time, their old numbers are no longer able to receive messages or calls.

As announced by ANATEL, Brazil recently completed a modification to its telephone numbering plan and affected numbers now contain an extra digit.

To prevent G Suite users with affected Brazilian phone numbers from being locked out of their accounts, Google will be updating their account recovery and two-step verification (2SV) phone numbers to include the extra digit in the coming weeks. These numbers will be updated based on the scheme published by the International Telecommunications Union (ITU). No action is required on the part of the user, and they will receive email and phone notifications describing the changes, including their updated numbers. Note that users can update their phone numbers anytime in their phone number or two-step verification settings.

Moving forward, to ensure continued access to accounts, Google plans to continue to make these modifications on behalf of G Suite users when they are impacted by changes to telephone numbering plans in their countries.

Launch Details
Release track:
Launching to both Rapid release and Scheduled release in the coming weeks. Please monitor the G Suite release calendar for specific timing.

Editions:
Applicable to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
All end users with impacted Brazilian phone numbers

Action:
Change management suggested/FYI


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Update: Refreshing the Google Accounts login page

We previously announced that a new Google Accounts login page, aimed at giving users an improved experience to sign in to their accounts across devices, would start slowly rolling out on April 5, 2017.

Based on customer feedback, we’ve decided to push the start of that rollout back to April 10, 2017, so we can further clarify how this change will impact G Suite customers.

What’s changing for all G Suite customers
The Google Accounts login page will have a new look and feel, consistent across computers, phones, and tablets. The rollout will start with a small set of users on April 10 and ramp up slowly over the course of several weeks.


Additional changes for customers not using a third-party SSO provider
In addition to the design changes described above, the new Google Accounts login page will also remove the “Stay signed in” checkbox that at certain times appeared for G Suite customers who did not use a third-party SSO provider.


We learned that users didn’t fully understand the implications of interacting with the "Stay signed in" checkbox across all browsers. To mitigate confusion, we're removing the checkbox and users will remain signed in unless they specifically sign out. When using shared or public devices, we recommend using private browsing windows.

Additional changes for customers using a third-party SSO provider when accessing third-party applications

If you’re using a third-party SSO provider to access Google applications, such as Gmail, Calendar, Drive, etc., your G Suite users will not see any differences apart from the newly designed Google Accounts login page described above.

If you’re using a third-party SSO provider to access third-party applications, your G Suite users will see an additional account selection page when they log in. This page will make it clear to them which account they’re authenticating, as well as the permissions they’re granting to applications.


Your G Suite users will be shown the account selection page either before or after being redirected to the third-party application, depending on whether they’re signed in to their browser and the specific third-party application they’re accessing. Please refer to the FAQ below for more details on when the account selection page will be shown.

Additional questions are addressed in the FAQ below.

-- Frequently Asked Questions --

Does this impact G Suite customers who are using Google as their identity provider?
If you’re a G Suite customer whose identity provider is Google, the only change you’ll see is the redesigned Google Accounts login page.

Which third-party SSO providers are included in this launch?
All third-party SSO providers, including Active Directory Federation Services (ADFS) SSO, will use this new Google Accounts login flow.

When will G Suite users see the additional account selection page?
The account selection page will not be shown in either of these cases:
  • when G Suite users are accessing Google applications such as Gmail, Calendar, Drive, etc.
  • if you don’t use a third-party SSO provider.
For customers using third-party SSO providers and accessing third-party applications, the account selection page will be shown in the situations below.

If there are accounts already signed in to the browser:
  • G Suite users will simply be required to confirm the G Suite account that they would like to use before being redirected to the third-party SSO provider, as illustrated in the post above.

If there are no accounts already signed in to the browser:
  • If the third-party application has set the domain hint (“hd”) parameter, the user will be redirected to the third-party SSO provider and the account selection page will be shown with the G Suite account that is returned.
  • If the third-party application has not set the "hd" parameter, the user must enter the account they would like to use prior to being redirected to the third-party SSO provider.
For more details on the “hd” parameter, please refer to the Google Developers Blog post or reference the developer documentation directly.

Will I need to confirm my account and grant the requested permissions every time I log in to a third-party application with a third-party SSO provider?After being prompted to confirm the correct Google account and granting the requested permissions upon initial login, only the account selection page will be shown again upon subsequent login attempts.

How can I remove my account from the account selection page?
G Suite accounts can be removed from the account selection page by clicking the “Remove an account” link.


Are all browsers impacted?
Yes, newer versions of all supported browsers will have this change applied, including Chrome, Firefox, IE, Edge, Safari, and Opera.

Users of older browsers or those browsers that do not have JavaScript enabled will temporarily continue to see the old Google Accounts login page.

When will my users see these changes?
The rollout will start on Monday, April 10, to a small set of users. It will ramp up slowly over the course of several weeks.



Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Refreshing the Google Accounts login page

Starting April 5, 2017, we’re rolling out an update to the Google Accounts sign-in page to give users an improved experience to securely sign in to their accounts. This new design will make browser sign-in flows consistent across computers, phones and tablets.

If you use third-party applications within your organization, or you use a third-party Single Sign-on (SSO) provider, we recommend contacting your developer(s) or SSO provider to see if any updates are necessary. To learn more, visit today’s G Suite Developer blog post.
Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Learn about the new Google sign-in page
G Suite Developers Blog


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

G Suite users can now rename their Security Keys

Security Keys are a two-step verification (2SV) method for signing into G Suite accounts that helps keep users secure from phishing attempts. Starting today, if your users have multiple Security Keys, they can rename those Security Keys to make them easier to manage. This was a common request from power users, and we’re happy to make it available. To take advantage of this feature, users who have already added Security Keys can visit their Two-Step Verification settings.


To learn more about all of G Suite’s security offerings, come read our recently updated G Suite Security & Privacy page here.


Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Editions:
Available to all G Suite editions

Rollout pace:
Full rollout (1-3 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI