Categories
Work Better with Google Workspace

Stop users from using phones as Multi-Factor Authentication

We want to require our employees to use more secure methods of Multi-Factor Authentication and disable the SMS/Phone Call 2-factor option. How can we remove our users phone number from their list of 2nd factors, or force them to enroll a new 2nd factor?

Getting Started 

Ok, so firstly I’m assuming that you’re not already enforcing multi-factor authentication (2-Step verification) and that no-one has voluntarily turned it on.

If you think that some people might have turned it on already then I’ll show you how to re-set that later in this post.

Also, you’ll want to do this outside of normal working hours as there may be some disruption to people’s accounts initially!

Step 1: Set yourself up first

First you’re going to set up Multi-Factor Authentication for yourself as the super administrator.

Go to your Google account / Security. Click on one of the options below the How you Sign into Google section. I’d recommend ‘Authenticator’. 

Choose authenticator app

Follow the steps to set up Authenticator as your Multi-Factor Authentication option.

Once you’ve added the authenticator app,  make sure you turn on 2-Step verification – there’s two buttons you need to click!

Step 2: Enforce 2-Step Verification (Multi-Factor Authentication)

Return to the Admin Console and go to Security / Authentication / 2 Step verification 

Click in the radio button next to Enforcement On from and enter a date – probably the next working day.

Enforce from a particular date

Then under Methods click next to Any except verification codes via text, phone call.

Set method of verification

Click on Save.

Step 3: Re-set logins for everyone

Now you’re going to force people to sign in and set up Multi-factor authentication the next time they log in.

Go to Admin Console / Directory and then Users.

Click on each user in turn, go to the Security tab, and reset the sign-in cookies to sign them out of their account.

Re set cookies

While you’re there, remove the recovery phone number if they have one, just to ensure stronger security and less likelihood of issues with text messages.

Step 4: Remove previous enrollments

Remember how I said earlier you could re-set their multi-factor authentication status? This is where you do it. If they’re already enrolled click on the pencil icon next to 2-step verification and change the status to Off.

Turn off previous enrollment

Now, when your users next log in, they’ll be prompted to Enroll in 2 Step verification and when they do, the only options they’ll be given will be Passkeys / Security Keys or the Authenticator app.

User must enrol

Want more personalised help?

I hope this article was of assistance to you, but if you want more personalised help with your Google Workspace issue then why not get in touch?

Leave a Reply

Your email address will not be published. Required fields are marked *