Functional Accounts are used across campus for various purposes and services (email, calendar, drive storage, etc.).
MFA solutions available for Google Workspace include Campus SSO+Duo or Google Authentication+2SV.
Newly created Connect functional accounts have a 7-day grace period to set up 2SV. Anyone signing into the account within those first 7 days will be prompted to set up 2SV along with the link to enroll (as seen in the screenshot). If 2SV is not set up within those 7-days, the account will be automatically locked.
Connect functional accounts are not exempt from MFA requirements. This is general guidance for using or sharing Connect Functional Accounts with 2SV enabled.
- Using Delegation for Email and Calendar-Sharing, and setting up Drive-Sharing can solve non-public workstations/accounts. You can delegate a functional account to an individual(s) or to a Google Group. When delegating access to a Google Group, members of that group have delegated access. See Delegating Access to your Account
- Use an authenticator app such as Duo MFA or Google Authenticator. Refer to the links at the bottom of the Enabling Google's 2-Step Verification page
- Use an Identity functional account - Identity functional accounts are created in the Identity and Access Management system so they have a UCSBnetID. Multiple user phone numbers/devices can be used with Duo access to the same account.
- Create unique student-worker (Connect) functional accounts - This is currently done by some departments to separate student work from user email. It is recommended that only one student has access to a student-worker functional account at a time (the functional account can be rotated to a new student-worker as positions change). This allows for the setup of Delegated Access to a shared functional account on a public workstation without exposing a personal user account.
- Example: email@example.com is allocated to Jane Gaucho and firstname.lastname@example.org is allocated to Joe Gaucho, and they are given access to the credentials for that account. Both email@example.com and firstname.lastname@example.org is given delegated access to email@example.com connect functional account.
- Use a Secret Management tool with the ability to store Time-Based One-Time Password (TOTP). This requires expansion of user access to your Secret Management tools. There is not a UCSB wide solution for Secret Management.
- Risk assessment/acceptance and bypass. A temporary bypass process for Duo and Google 2SV exists to track bypass requests. This provides 3 days for temporary bypass. A permanent bypass would require a Risk Assessment. This would begin with a request to the CISO.