How to secure your Google Cloud login

Whether you’re an IT executive or an administrator in charge of operations, understanding Google’s security tools and built-in protections can go a long way in helping ensure your cloud journey is secure and effective.

To successfully protect your organisation’s data in the cloud, it’s important to first secure users’ identities. In this post, we look at two important account security features that can help you protect user accounts from bad actors:

1. Google’s automatic protections that work during login.
2. Two-step verification (2SV), also known as two-factor authentication (2FA) or multi-factor authentication (MFA).

Why do we need these protections? 

Passwords are often the first and last defence for users but they aren’t foolproof for a few reasons: 

1. People use common words that can be easily guessed such as abc123, Password, 123456, Iloveyou and more.
2. People reuse passwords across services or devices, which opens up disproportionate trouble if just one is compromised.
3. People can be easily tricked into sharing passwords with fraudulent sites.

In short, passwords have pitfalls. So IT leaders should make sure to educate users and use the right tools to mitigate issues if they happen.

Google’s automatic protections

Apart from basic defences like blocking brute force attacks, Google also employs sophisticated risk models built-in in our products to assess if a login event is legitimate or not. If the risk engine determines that an attempt is suspicious (for example, the login happens from a new location or device), it will ask for additional proof to ensure the right user is logging in. This in done by offering login challenges which ask the user to confirm their identity from a trusted phone or to answer a question. There are a variety of login challenges including device challenges, email challenges and employee ID challenges.

The best part of this approach is that Google only presents a login challenge to users if the login attempt is deemed risky. Google’s security tools are smart enough to know when to verify identity like if you’re logging in to a new device or from a new location. This feature is often referred to as “adaptive MFA” in the industry and it can help increase security without unnecessarily burdening users. 

Two-factor authentication (or 2FA/2SV)

While risk-based challenges are effective against many kinds of attacks, Google recommends the use of 2SV for greater assurance and protection against more sophisticated attacks. When 2SV is used, a user is required to authenticate in two steps: 

1. Using something they know, like a password and 
2. Using something they have, such as a code or a hardware device.

Google supports a number of convenient 2SV methods. There are three 2SV categories based on their security characteristics: 

1. Phishing-resistant security keys: Security keys, like Google’s Titan Security Keys or your Android phone, are a form of 2SV that is designed to be resistant to phishing. They are built to the industry standard FIDO protocols. They work with the browser and use cryptographic assertions to ensure that users are authenticating only on legitimate sites. Google recommends use of security keys for all users if feasible and at a minimum for your highest-risk users, like super admins, executives and employees working with sensitive information.
2. Other 2SV methods: Backup codes, TOTP compliant apps (e.g. Google Authenticator), and mobile push (e.g. Google Prompt), are options within this next security level. These methods provide good protection for most users but they are not as effective as security keys because they can be vulnerable to some sophisticated phishing attempts. For your users at the highest-risk or most privileged users, Google highly recommend to use security keys and ideally, enrol in the Advanced Protection Program for the enterprise.
3. SMS or voice codes: While SMS and voice codes have an advantage because most users are already familiar with how they work, these codes are the least secure of the available 2SV methods. Google recommends avoiding SMS or voice codes if any of the other 2SV methods are feasible. 

Keep these tips in mind as you’re setting up secure infrastructure for your users:

1. Passwords can be problematic; lean on Google tools to help enforce password hygiene. 
2. Ensure there’s metadata logged on your users’ accounts such as a recovery phone or employee ID so that they can be used if risky logins are detected.
3. For greater assurance, require 2SV usage for all users.
4. Any 2SV is better than no 2SV. However, remember that not all 2SV methods are the same. 
5. Google recommends the use of security keys for everyone, especially your highest-risk users such as administrators, privileged GCP users and executives.
6. Even if you use your own SAML IdP, you can now benefit from Google’s risk-based login challenges and modern 2SV stack.