T
T
tyomitch2017-09-28 18:29:03
Google
tyomitch, 2017-09-28 18:29:03

How to organize "shared for the office" two-factor authentication in Google Account?

I have an organization that uses Gmail for business for business communications. Each employee has a google-account [email protected], with which they can access common mailboxes such as [email protected], [email protected], etc.
To reduce the risk of leakage of confidential data, the owner of the organization wants his employees to not be able to access their work mail when they are physically out of the office. The ideal solution would be two-factor authentication using some device fixed in the office - for example, a one-time password generator in the form of a huge display on the wall.
Something similar could be built on the basis of Google Authenticator; but alas, one authenticator can only be tied to one google account, and by displaying twenty codes on the display, one for each employee, we will only confuse them all.
For a similar reason, FIDO U2F Security Key will not work - one token can only be tied to one account, employees sit at different computers on different days, and if they are allowed to rearrange the token from one computer to another, they will take it home in the same way .
Maybe someone has already implemented something similar?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir Dubrovin, 2017-09-28
@tyomitch

Unfortunately, your task is not solved only by authentication, because. an employee can "blow" an already authorized session outside (for example, copy cookies or simply log in on the phone or create a collector in another mailbox, or connect in a mail program with OAuth authentication).
You need a system that will log the user into the account itself, create a session for him in GMail and transfer it to the browser, for example, through a plugin in the browser that will receive ready-made session cookies and put them in the browser, maybe this can be arranged through profile synchronization in the browser. But besides this, it is necessary to terminate this session when the user goes home (for example, when he logs out or after some period of inactivity).
Within the framework of such a system, you can store a password + TOTP key for each GMail account, and to access it, you can do some additional unified authentication + authorization (which users are allowed access to which accounts).

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question