Multi-factor authentication (MFA) is the process of adding additional security, often in the form of a physical device or unique key, when logging into your accounts. Google and G Suite accounts (now renamed "Google Workspace") make MFA available through their own application called Google Authenticator, but it can also be achieved through third-party apps like Authy or 1Password, among others.
MFA is important as it blocks access to a user account even when credentials have been stolen. It is also easy and free to implement on G Suite.
Users can control and enable MFA on their own accounts but a much better approach is for your G Suite administrator to enforce MFA centrally at the organization level through the G Suite admin panel.
To enforce MFA for all user accounts for which you are an administrator, follow these steps:
Authenticate into your admin panel at admin.google.com. Choose the Security Icon.
Google calls their MFA setting 2 Step Verification or 2SV, which you’ll see at the top of the basic admin list inside security settings.
Make sure the checkbox for “Allow users to turn on 2-step verification” is selected. Then click on “Go to advanced settings to enforce 2-step verification >>.”
To start, your settings will look like this:
You can choose to start enforcement on a specific date or turn it on now. Turning it on now will lock out any existing users who do not currently have 2SV turned on. That’s why Google makes the next setting available which gives your users a window of time to enable it.
In the next setting, you’ll be able to select the methods your users can employ for 2SV.
The final setting is the frequency with which your account will require authentication. The first setting is default and it allows users to tell Google to trust the device they use for 2-step verification for a period of time before they need to re-authenticate.
The default period of time is 30 days, after which the user will be forced to re-authenticate a single device when they log in. Currently, this time period cannot be edited – it is set by Google.
The second radio button “Do not allow…” will force your users to re-authenticate with 2SV every time they login.
When you’re done with the settings, click “SAVE” and you’ll be returned to your authentication settings screen.