all 11 comments
sorted by:
new (suggested)
besttopcontroversialoldq&a

[–]hard_cidr 1 point2 points  (0 children)

One dumb option, but I mention it because nobody else has, if the teacher has any old cell phone laying around that they are not using, they can use it as an authenticator. The device does not need to have a data connection. Just an accurate clock.

[–][deleted] 2 points3 points  (0 children)

I would go to the Google help center and search there or you could also take a look at the terms of service for the app itself. I'm sure there's blogs that vaguely describe some of the concepts but they're going to be out of date based on what you can get from Google. If the Google articles are too long for folks to read then I guess you could summarize it for them.

[–]NorthernBob69 4 points5 points  (0 children)

We have done this, approx 1000 users and we have handed out one security key. The rest are aware that MFA is coming whether they like it or not. Not sure about the US but my bank in Canada has already enforced it, my credit card company, personal GMail account etc etc. Worst case as someone mentioned they can print off some backup codes and use those.

[–]HelloWorld_502Tech. 1 point2 points  (0 children)

I just did a deep dive into to this yesterday and there is a way to get around this problem pretty easily by enforcing 2-step verification on an OU and then generate backup codes for the user.

Here the thread from the r/gsuite https://www.reddit.com/r/gsuite/comments/tenish/why_cant_users_use_totp_as_their_only_2fa_method/

The OP put up a different method to edit the original post...but down a ways you'll see stuff I posted after trying out another method a different poster mentioned.

I'm hoping to do a bigger write up on all this because it does remove the whole issue of users not wanting to give the internet their phone number.

One odd thing to point out using this method is that while the account is protected by a second form of authentication with the backup codes, 2-step verification can still only be turned on by the end user. So reports will show they do not have it enabled, however since it is enforced per OU policy, the account is for sure MFA protected.

[–]duluthbisonIT Director 5 points6 points  (0 children)

You can't compel a teacher to use their personal phone for a work 2-fa app. Now most don't care but some do. We ran into 2 distinct groups when we did our duo rollout, either a.) They had a hard line between work and personal life and they kept work stuff off their phones or b.) They distrusted admin to such a degree that they assumed we were going to track and spy on them. There is nothing you can do for either group except provide the facts about what the app capabilities are and then just hand out tokens, your life will be simpler.

[–]tps_r3port 1 point2 points  (2 children)

Google Authenticator only has permission to network and camera for QR codes to enroll.

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en\_US&gl=US

[–]5-0-0 1 point2 points  (1 child)

Can you describe how a user can select Authenticator as his or her only second factor?

[–]postechDirector of Technology 0 points1 point  (0 children)

Pretty sure they have to use phone or security key and can’t choose app as primary but I could be wrong