Skip to main content

Enforce 2FA With GSuite

Enabling 2 factor authentication. Also known as 2 step verification (2SV) for GSuite users.

Dorin avatar
Written by Dorin
Updated this week

For more info on specific steps, see links throughout this article to Google's official help articles.

Why Enforce 2FA for Fullview via Google SSO

Using Google Workspace (G Suite) accounts to log in to Fullview means that Google is the identity provider handling authentication. Enabling two-factor authentication (2FA) – called 2-Step Verification (2SV) in Google’s terminology – is crucial to protect these logins. With 2FA enabled on Google accounts, even if a password is compromised, a second verification (such as a code or security key) is required, greatly enhancing security. In short, if you enforce 2FA at the Google Workspace level, any “Sign in with Google” to Fullview will also require that second factor, keeping unauthorized users out.

Enforcing 2FA in Google Workspace (G Suite)

Figure: Google Workspace Admin Console settings for enforcing 2-Step Verification (2SV). Admins can allow users to enroll in 2SV and then enforce it immediately or from a scheduled date. Options include a grace period for new users and the ability to choose allowed 2SV methods. The Frequency setting “Allow the user to trust the device” lets users skip repeated prompts on a trusted device (use with caution) support.google.com.

To ensure that all Google logins (including Fullview logins via Google) require 2FA, a Google Workspace administrator should enforce 2-Step Verification for the organization. Here are the steps to do this:

  1. Navigate to 2SV settings: Sign in to the Google Admin Console as an administrator. Go to Security > Authentication > 2-step verification support.google.com.

  2. Allow 2SV enrollment: Make sure the option “Allow users to turn on 2-Step Verification” is checked. This lets users enroll in 2FA if they haven’t already.

  3. Enforce 2FA for users: Under Enforcement, choose an option for requiring 2SV: select On to start enforcing immediately, or On from [Date] to pick a future date when 2FA becomes mandatorysupport.google.com. (If you schedule a date, Google will remind users to enroll before that deadline.)

  4. Set a new user grace period (optional): You can set a “New user enrollment period” (e.g. 1 week or 1 month) if desired support.google.com. This gives new employees a brief window to log in with just a password before they are forced to set up 2FA. Often organizations set this to None or a very short period to maximize security.

  5. Decide on device trust policy: Under Frequency, decide whether to allow users to “trust the device.” If this box is checked, a user can choose not to be prompted for 2FA again on a given device/browser after their first login support.google.com. Enabling this improves convenience (fewer prompts on frequent devices) but slightly reduces security. Google notes that skipping 2SV on trusted devices is not recommended unless users frequently switch devices support.google.com. To enforce 2FA on every login, you would leave this unchecked so that credentials are verified each time.

  6. Choose allowed 2FA methods: Under Methods, select which 2SV methods are permitted for your users support.google.com.

    • Any – allow all Google-supported 2FA methods (Google Prompt, authenticator app, SMS codes, security keys, etc.).

    • Any except verification codes via text, phone call – allow only stronger methods (like mobile app prompts, authenticator apps, or security keys) and disallow SMS or voice call codes support.google.com. This is often recommended, since text-message codes are less secure and can be intercepted.

    • Only security key – require a physical security key or passkey for 2FA (highest security, but ensure all users have keys before choosing this) support.google.com.

  7. Save the policy: Click Save to apply these settings for your selected organization unit or group. 2FA enforcement can be applied to all users or a specific subset (for example, you might enforce it for the whole company, or start with a particular department or group) support.google.com. Ensure that all affected users have completed 2SV setup before the enforcement is active to avoid lockouts. Google provides admin reports to track who has enrolled in 2SV and who hasn’t yet, so you can follow up with users who need to enroll.

Once this policy is in place, any login to Google accounts in that domain will require 2FA after the user enters their password. This includes logging into Fullview via Google SSO, as well as logging into Google Workspace services themselves. In practice, when a Fullview user clicks “Sign in with Google,” they will be prompted for their Google email and password (if not already signed in) and then for the second factor (e.g. an approval prompt on their phone or a verification code) before access is granted.

Limitations and Considerations for Google 2FA on Third-Party Apps

Enforcing 2FA in Google Workspace covers Fullview’s Google login without additional configuration in Fullview. There are a few considerations to keep in mind:

  • Active Google Sessions: If a user is already signed into their Google account and has recently completed 2FA, they might not be prompted for 2FA every single time they access Fullview. Google may treat the existing session as sufficient. This is normal SSO behavior – the user won’t be asked for a code if their session is still valid. However, if the user logs out or the session expires, the next login will require the password and 2FA again. Admins can balance security and convenience by adjusting session duration and whether “trust this device” is allowed. Disallowing trusted devices (as mentioned above) ensures more frequent 2FA checks, at the cost of convenience.

  • “Trust this device” option: If you allow trusted devices, users who check that box during login won’t have to perform 2FA on that device/browser for some time (by default, Google might remember the device for 30 days, for example) support.google.com. This means that for third-party apps like Fullview, a user who trusted their device would log in with Google without a new 2FA prompt on that device until the trust period or session ends. If your security policy requires a 2FA challenge every login, you should disable the trusted device feature.

  • No bypass for third-party logins: There is no special limitation or bypass that would let a user into Fullview without 2FA if it’s enforced on their Google account. The 2-Step Verification requirement applies universally – whether the user is signing into Gmail, a SAML SSO application, or clicking a “Sign in with Google” button for a third-party app, the Google identity platform will require the second factor as long as the user hasn’t already satisfied it for the current session. In short, Fullview trusts Google to authenticate the user, and Google won’t fully authenticate the user without 2SV if it’s enforced.

  • Enrollment and backup codes: One consideration when enforcing 2FA is to ensure all users are enrolled and have backup options. If a user has not yet set up 2SV and enforcement is turned on, that user will be unable to sign in (to Google or any app via Google) until they set up 2FA. Google Workspace admin console offers the ability to add users to an exception group temporarily (where 2SV isn’t enforced) if someone needs a bit more time, but this is not recommended as standard practice support.google.com. It’s better to communicate the policy in advance and use Google’s reminder emails to get everyone enrolled before the cut-off date. Additionally, encourage users to keep backup codes or an alternate 2FA method (like a backup phone or security key) in case they lose access to their primary 2FA device.


Did this answer your question?