Now to set up and enforce 2FA (Two Factor Authentication) for all users in my new domain. First I want to make sure it is active and working for me!

In Gmail, clicking the “S” at the top right, which comes from my name Steve, opens a box with an option to “Manage your Google Account”

In the next page I select Security and then the right arrow allong from “2 Step verification”

The default is to get an SMS message or phone call but I don’t want that. I want to use “Google Prompt” which is an app built into my Android phone and I think it also works on iPhones too. SMS can be compromised so Security Keys or prompts are the way to go. I think my android phone can also act as a security key too, but the prompt has always worked well for me.

I need to select “show more options”

My device isn’t shown, so the link “Don’t see your device”.

and this tells me I need to login to my new Workspace account from my phone for it to be seen, so I’ll go to my phone and do that.

On android I do this by going Settings > Accounts > Add Account > Google

(you can have more than one google account linked to your phone)

My new email address and password are entered and it takes 30 seconds or so to login and set itself up. Once that’s done, I click the “Try Again” link and my phone appears. Yes it’s an old phone (2 and a half years!) and yes I’m looking to update it but only because the charging port is slightly loose. Can you imagine how long it takes me to pick a new phone? !!

click Continue

It wants a backup option, and is asking for a phone number again. I’m going with this though deep down I think the current security wisdom is not to allow SMS resets.

Enter the confirmation code that came by text message

and “Turn on”

So that should be working and the confirmation screen gives me more options.

First, I generate the backup codes. These can be printed and put somewhere safe for the event you lose your phone and can’t use the Prompt or SMS methods. Perhaps keep them in your wallet. If you’re worried about losing your wallet and someone logging into your account using these backup codes then you can encrypt them with your own secret algorithm. Add 1 to the first and last digit.

Second, I set up an authenticator app. I used to use Google Authenticator but I had a problem once where a factory reset of my phone meant I lost access to the Generator. Now I use 1password which includes a generator. As long as I can get into 1password I can always get to the Authenticator codes.

Finally, I tried the security key but that doesn’t work for me as a I don’t have one 🙂 I thought my phone might act as one but I was prompted for Windows to look for one connected by USB. Maybe one day I’ll add that approach too. I think a hardware security key that can be on my keyring and work separate to my phone and wallet may be a useful backup method

Now to log out, log in and see if I’m prompted for a code:

and yes I was. All is good and secure.

Not to enforce 2FA as a requirement across all users.

The 9 dots top right > Admin > Security > 2-Step Verification

Maybe I’m bit too worried about security, but these are the settings I’ve chosen for my users.

• 2FA is turned on from now
• There is no grace period for new ysers
• They can trust the device once they’re logged in. I think google still prompts every 30 days.
• They can’t get verification codes by SMS message of phone calls. SMS is not secure and we are all vulnerable to SIM Swapping (that’s a link to youtube video that explains it well. She also covers a lot of security related topics with great advice for geeks and non geeks alike).

So, that should be enforcing 2FA for all our users, which is so far just me and my brother. Except he probably didn’t set up 2FA when I told him he could log in earlier so he’s probably being locked out right now. To fix that, Admin > directory > Users and click on his name and I can see that he does not have 2FA enabled and also he has no recovery options.

When I go to edit this (the down arrow on the top right opens the panel up) I see that only the user can enable 2FA.

I suspect that the next time he logs in he will be forced to do that so I’ll leave this for now and see what happens. It might be I need to add a recovery email address and/or phone number as he hadn’t set those yet either.

Once he is set up with 2FA I will also make him a super admin. This is important as if something happens to me I want him to be have full access to everything in the business. Also if I lose my phone he can also reset my password. I’m always trying to avoid a single point of failure in our business.

In Part 1 I registered a new Google Workspace account and told it our domain name. Now we have to prove to google it’s actually our domain to use.

There are a couple of ways to do this and all of them involve adding entries to the DNS records of your domain, which you do through the website of whoever you bought your domain from. For many years I’ve bought all my domains through Gandi and I highly recommend them (not a referral link and I’ve no promo codes to pass on). Google & Gandi work for the “Automatic Activation” method which makes things very easy from this point.

Once signed in, the verification process begins!

The automatic process is doing what you can do by hand. Firstly, it adds a DNS TXT record with a unique string that is publicly available. Because you can set this google know this is really your domain.

Here things get a little complicated, as I already had this domain set up with our old Google Workspace legacy account and I left the email settings in place. These are DNS MX records that tell the world where to deliver your email.

If you’re using email on another provider I assume Google Workspace would give you the option as to whether to change these settings from your current provider to the google servers. As we weren’t using the domain for email (at least, not in a way I minded breaking for few days) I can’t tell if that’s the case or if they’d be added automatically if there are no existing MX records. Seeing as this is step 3 in the setup and we haven’t yet done step 2, I’m assuming assuming you get to choose when to switch over the email servers.

It can take some time (several hours) for the DNS records to show publicly for google to check but you can carry on with other steps whilst you’re waiting.

Step 2 is to create your users.

Obviously my user is already there so I use the “Add another user” link to add more.

After that, it’s time to accept the terms and log into our new accounts!

Naturally the dashboard has a lot of options but in my excitement the first thing I want to do is send an email. In google workspace a grid of 9 dots at the top right opens the menu for all the workspace apps. Gmail is the one I want and…. it doesn’t work!

I’m signed into the admin panel and every other app I click on redirects me back to the Admin panel. What’s going wrong? I think it’s due to the domain still be verified. Sure enough the next morning I could log in fine. I think there is the option of accessing Gmail by logging in using the test domain whilst verification is happening but it worked before I got to try that.

Now my email is working, next on my list:

2FA – two factor authentication or MFA – multi factor authentication, which is to say I want to enforce better security on our email accounts requiring anyone that logs in not only knows their password but gets an extra security code from a device they own.

Set up a shared email address – which is all new to me as our legacy workspace account didn’t allow for this

Now I’ve selected Google workspace (see previous post for why) I need to begin the setup.

I’ve also signed up for a google referral program where you get a discount and I get a commission. I’ve not idea if this will work but if you’d like a discount code, send me an email and ask and we’ll both find out.

Here’s a my rough and ready task list of what I need to do:

• Get email working, with Multi Factor Authentication, for 2 users (others to follow once it’s working)
  • i. Create account
  • ii. Changing DNS
  • iii. Adding user
• Get shared email account working
• Import from old accounts and setup collection of email from those accounts
• How to handle the server/infrastructure emails (noreply@ and server@)
• User calendars and sharing access between us
• Calendars for resources (Van allocation)
• Get Google Drive Desktop/FileSyncBackup and sync working, or whatever it’s called, on our desktops and mobiles

I’ve probably forgotten several things from that list so as I remember them I’ll come back and edit it

Sign up

My choice is Business Starter, so I click that link

Select the number of accounts I’m going to use. I’m not sure what selecting the larger numbers does

Enter my name and my existing email address.

Say I already have a domain name

and then enter the domain name

Things get interesting from this point, so pay attention!

At the same time as doing this, we’re transitioning onto a new domain name that we’ve had for a while. It had already been setup with google workspace as an alias to our our old domain name but we’d deliberately not been using it for everyday tasks. As such, I’m treating this domain as if it’s brand new

However, if you are planning on using Google Workspace with your existing domain you have to be careful not to break your existing email! At this point, just like the message on screen says, your emails won’t be affected yet.

I like to get the emails with updates and tips, so I said OK.

and I like to automatically set that for my users knowing they can unsubscribe if they’re not interested.

Now to set a password for my new account.

In my business I’m using 1password password manager to create strong passwords (blue circle icon by the password field and it’s suggested a password). NB: I didn’t use this suggested password 🙂

A confirmation screen where I get to enter a promotion code. As I’ve signed up for a google referral program I might be able to send you a voucher code too, email me to ask 🙂

Now a longer review page confirming the price and letting you set your business name, address and enter payment details.

Once all of that is done – we have a workspace account

and are taken to the admin console to do some more setup and I’ll cover those steps in the next post.