Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Multi-Factor Authentication for User Accounts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Multi-Factor Authentication (also known as 2-Step Verification or 2SV) is enabled for all user accounts in order to help protect the access to your Google Cloud Platform (GCP) resources, applications and data. MFA/2SV provides an additional layer of security on top of existing user account credentials (i.e. email address and password). By requiring more than one mechanism to authenticate a user, MFA/2SV protects the user login from attackers exploiting stolen or weak credentials. Google provides several verification methods such as mobile device push notifications, hardware security keys, Google Authenticator codes, text messages or phone call verification.

Security

When Multi-Factor Authentication/2-Step Verification is enabled, the user will have to present a minimum of two separate forms of authorization before its access is granted. Having an MFA/2SV-protected user account represents an efficient way to safeguard your Google Cloud Platform (GCP) resources against malicious actors as attackers would have to compromise at least two different authentication methods in order to gain access, and this reduces significantly the risk of attack.

Audit

To determine if MFA/2SV is enabled for GCP user accounts, perform the following operations:

Note: Getting the 2-Step Verification feature status using GCP Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select VIEW BY PRINCIPALS to list the user accounts created for the selected project.

06 Copy the email address of the user account that you want to examine, available in the Principal column.

07 Navigate to Google Account console at https://myaccount.google.com and sign in using the email address copied at the previous step to access the user account.

08 In the navigation bar, select Security.

09 On the Security page, in the How you sign in to Google section, check the 2-Step Verification setting status. If the status is set to 2-Step Verification is off, Multi-Factor Authentication (MFA) is not enabled, therefore the authentication process for the selected Google Cloud user account is not MFA-protected.

10 Repeat steps no. 6 – 9 for each user account that you want to examine, available for the selected GCP project.

11 Repeat steps no. 2 – 10 for each Google Cloud Platform (GCP) project available in your account.

Remediation / Resolution

To enable Multi-Factor Authentication (also known as 2-Step Verification or 2SV) for your Google Cloud Platform (GCP) user accounts, perform the following operations:

Note: Enabling Multi-Factor Authentication (MFA) for GCP user accounts using Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Navigate to Google Account console at https://myaccount.google.com and sign in using the access credentials of the Google Cloud user account that you want to configure.

02 In the navigation bar, select Security.

03 On the Security page, in the How you sign in to Google section, click on the 2-Step Verification tab to initiate the MFA setup process.

04 On the 2-Step Verification setup page, choose GET STARTED, and perform the following actions:

  1. Enter your account password for verification and choose Next.
  2. Provide the phone number that you want to use as your second verification step and choose one of the verification methods available: text message (SMS) or phone call. For other MFA/2SV options such as Google Prompt and Security Key, choose Show more options. As an example, this conformity rule utilizes text messages (SMS) for the MFA/2SV verification method. Choose NEXT to continue the setup process.
  3. Enter the 6-digit code sent to the phone number selected at the previous step, to confirm the verification method used. Choose NEXT to continue.
  4. Choose TURN ON to complete the setup process and enable Multi-Factor Authentication/2-Step Verification for the selected Google Cloud user account.

05 (Optional) Backups help you get back into your GCP account if you lose your phone, you forget your password, or you can't sign in for another reason. To avoid getting locked out of your GCP account, set up additional backup steps so you can sign in when other options aren't available anymore. For example, choose Recovery phone from the How you sign in to Google section to add a backup phone so you can still sign in if you lose your primary phone.

06 (Optional) You can also set up a recovery email address. If you forget your password or someone else is using your Google Cloud user account, having a recovery email address can help you get your account back. To add or update a recovery email address, perform the following actions:

  1. In the navigation bar, select Personal info.
  2. In the Contact info section choose Email.
  3. In the Recovery email section add or update your recovery email address.

07 Repeat steps no. 1 – 6 for each user account that you want to enable MFA/2SV, available for the selected GCP project.

08 Repeat steps no. 1 – 7 for each Google Cloud Platform (GCP) project available within your account.

References

Publication date May 3, 2024

Related IAM rules