Your organization has implemented synchronization and SAML federation between Cloud Identity and Microsoft Active Directory. You want to reduce the risk of Google Cloud user accounts being compromised. What should you do?
A.
Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.
B.
Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.
C.
Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.
D.
Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.
Answer C:
"We recommend against using text messages. The National Institute of Standards and Technology (NIST) no longer recommends SMS-based 2SV due to the hijacking risk from state-sponsored entities."
"C"
Because it's federated access, the password policy stays with the origin IDP (Active Directory in this case) while the post-sso behavior/controls are in Google Cloud.
In terms of the actual second factor, security keys are far more secure than otp via text since those can be defeated through smishing or other types of attacks.
https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction#implementing_federation
https://cloud.google.com/identity/solutions/enforce-mfa#use_security_keys
C. Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.
Answer is - C
https://cloud.google.com/identity/solutions/enforce-mfa#use_security_keys
Use security keys
We recommend requiring security keys for those employees who create and access data that needs the highest level of security. You should require 2SV for all other employees and encourage them to use security keys.
Security keys offer the most secure form of 2SV. They are based on the open standard developed by Google as part of the Fast Identity Online (FIDO) Alliance. Security keys require a compatible browser on user devices.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
coco10k
Highly Voted 1 year, 5 months agogcpengineer
11 months, 2 weeks agouiuiui
Most Recent 5 months, 2 weeks ago[Removed]
9 months agoAwesomeGCP
1 year, 6 months agojitu028
1 year, 6 months agoAzureDP900
1 year, 5 months agoszl0144
1 year, 11 months agomT3
1 year, 11 months agomouchu
1 year, 11 months ago