Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Multi-Factor Authentication for User Accounts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CloudIAM-005

Ensure that Multi-Factor Authentication (also known as 2-Step Verification or 2SV) is enabled for all user accounts in order to help protect the access to your Google Cloud Platform (GCP) resources, applications and data. MFA/2SV provides an additional layer of security on top of existing user account credentials (i.e. email address and password). By requiring more than one mechanism to authenticate a user, MFA/2SV protects the user login from attackers exploiting stolen or weak credentials. Google provides several verification methods such as mobile device push notifications, hardware security keys, Google Authenticator codes, text messages or phone call verification.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

When Multi-Factor Authentication/2-Step Verification is enabled, the user will have to present a minimum of two separate forms of authorization before its access is granted. Having an MFA/2SV-protected user account represents an efficient way to safeguard your Google Cloud Platform (GCP) resources against malicious actors as attackers would have to compromise at least two different authentication methods in order to gain access, and this reduces significantly the risk of attack.

Audit

To determine if MFA/2SV is enabled for GCP user accounts, perform the following actions:

Note: Getting the 2-Step Verification feature status using GCP Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select to view by PRINCIPLE to list the user accounts created for the selected project.

06 Copy the email address of the user account that you want to examine.

07 Navigate to Google Account console at https://myaccount.google.com and sign in using the email address copied at the previous step to access the appropriate user account.

08 In the navigation bar, select Security.

09 On the Security page, in the Signing in to Google section, check 2-Step Verification configuration setting status. If the status is set to Off, Multi-Factor Authentication (also known as 2-Step Verification) is not enabled, therefore the authentication process for the selected GCP user account is not MFA-protected.

10 Repeat steps no. 6 – 9 for each user account that you want to examine, created for the selected GCP project.

11 Repeat steps no. 2 – 10 for each Google Cloud Platform (GCP) project available in your account.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) for your Google Cloud Platform (GCP) user accounts, perform the following actions:

Note: Enabling Multi-Factor Authentication feature for GCP user accounts using Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Navigate to Google Account console at https://myaccount.google.com and sign in using the access credentials of the Google Cloud user account that you want to reconfigure (see Audit section to identify the right user account).

02 In the navigation bar, select Security.

03 On the Security page, in the Signing in to Google section, click on the 2-Step Verification tab to initiate the 2SV setup process.

04 On the 2-Step Verification page, click GET STARTED, and perform the following:

  1. For Step 1 of 3, provide the phone number that you want to use as your second verification step and choose one of the verification methods available: text message (SMS), phone call, a hardware security key or a Google prompt on your mobile phone. For example, this conformity rule utilizes Text message as MFA/2SV verification method. Click NEXT to continue the setup process.
  2. For Step 2 of 3, enter the 6-digit code sent to the phone number selected at the previous step, to confirm the verification method used. Click NEXT to continue.
  3. For Step 3 of 3, click TURN ON to enable Multi-Factor Authentication/2-Step Verification for the selected GCP user account.

05 (Optional) Backups help you get back into your GCP account if you lose your phone, you forget your password, or you can't sign in for another reason. To avoid getting locked out of your GCP account, set up additional backup steps so you can sign in when other options aren't available anymore. On the 2-Step Verification configuration page, choose at least one additional second step from the Add more second steps to verify it's you list. For example, click ADD PHONE under Backup phone to add a backup phone so you can still sign in if you lose your primary phone.

06 (Optional) You can also set up a recovery email address. If you forget your password or someone else is using your GCP user account, having a recovery email address can help you get your account back. To add or update a recovery email address, perform the following:

  1. In the navigation bar, select Personal info.
  2. On the Personal info page, choose the Contact info tab, then click on Recovery email.
  3. On the Recovery email page, add or update your recovery email address, then click DONE to confirm your action.

07 Repeat steps no. 1 – 6 for each user account that you want to enable MFA/2SV, created for the selected GCP project.

08 Repeat steps no. 1 – 7 for each Google Cloud Platform (GCP) project available within your account.

References

Publication date Feb 4, 2021

Related CloudIAM rules