What’s changing
In August 2022, we announced strengthened safeguards for sensitive actions taken in your Google Workspace end users accounts. Specifically, this update protected users from bad actors taking over accounts via cookie theft. Beginning today, we’re extending this protection to the Admin console.
Currently, the Admin console prompts users to re-authenticate every hour. We are extending our current protections with additional signals to detect potential cookie theft. If a risky session is detected, we will issue extra challenges such as mobile notifications or the use of a security key. Once the user has successfully verified, they’ll be directed back to the admin page they came from.
Who’s impacted
Admins
Why it’s important
This added layer of security helps to intercept bad actors who have gained access to the Admin console using a stolen cookie. Cookie theft is a session hijacking technique whereby accounts can be accessed by exploiting cookies stored in the browser.
The additional “Verify it’s you” challenges help ensure only authorized users are accessing your organization’s sensitive information and data, preventing bad actors from taking damaging actors. Further, these challenge attempts will be logged as Admin log events allowing for further admin investigation.
Additional details
To avoid situations where a bad actor has a cookie that marks a device as trusted, admins can configure a device to be trusted based upon login.
If an admin gets legitimately stuck trying to access the Admin console, other admins can temporarily turn off login challenges, including additional log-in challenges. We strongly recommend only using this option if contact with the user is credibly established, such as via a video call.
Getting started
- Admins: These protections will be available by default. Visit the Help Center to learn more about Admin log events, verifying a users identity, and protecting your users with 2-step verification.
- End users: There is no action required.
Rollout pace
- Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on October 24, 2022. We anticipate rollout to be complete by November 14, 2022
Availability
- Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers