Set Up 2FA for Shared Client or Former Staff Emails - Chris/Lynn Collab

Note: had some troubles with this, Chris made the following suggestion. Try this with next offboard and update these instructions accordingly.

I think you have to go through roughly the following settings, while we're in
the "2FA Handoff" Org Unit:

  • Google Account's profile icon
  • Manage Your Google Account
  • Security and Sign In
  • Probably need to re-do several settings in here. Make sure ALL forms of
> phone are reset, "Authenticator" option will need to be removed, this is
> also where you'll add a new one for yourself / Bitwarden likely
  • Once every trace of the former staff are removed, then you move back to
> pedsone.com org unit to enforce 2FA again.

I think just replacing the phone does not suffice, you have to carefully go
through the 2FA settings themselves.

Update these instructions as needed

1. From the Google Admin Account:

   1. users

   2. manage

   3. find user and hover over the status on the right side

   4. a menu will pop up

   5. click the dropdown menu under More Options

   6. Change organizational unit

   7. move to 2FA Handoff group

   8. click on the user's name hyperlink

   9. click 'security' from the top

   10. reset the password

   11. turn off 2FA

   12. save
       
       

2. Right click on any Google applet on your computer task bar

   1. choose: New Window

   2. click the 'Add' box

   3. sign in to the former staff email account using the password that you reset

3. Click the dice menu and click ‘account’ from that menu

4. On the left side menu click ‘security & sign-in'

5. Scroll down to the ‘How you sign in to Google’ card and click the 'authenticator' button (this may be below the 'how you sign into Google' card (see screenshot below)

1. Click ‘get started’

2. Enter the credentials to log into that account

3. You will be asked to get a verification code. It should have your phone number listed. Click ‘send’

4. ‘Let’s set up your phone’ your number should be listed, and click ‘text message’ then click ‘next’

5. You will be sent another code via text. 

6. The next screen says ‘It worked! Turn on 2-Step Verification? Click ‘turn on’

Set up 2FA in Bitwarden.

1. Go back into the 2FA setup in Google and click the right arrow next to 2-Step Verification

2. Scroll down to the Authenticator App section and click on it.

3. Click on Set Up Authenticator

4. Open the app, click the plus sign, scan the code on your computer screen

2. Click next on the computer

3. Enter the code from your phone, click verify

4. Open the Google Authenticator App Click the three bars on the top left and select Transfer accounts

5. Click on Export Accounts

6. Uncheck all the codes to export except the one you are looking to move into Bitwarden.

7. Click next

8. On your computer pull up a terminal and run extract_otp_secrets

9. The embedded camera will start, scan the QR code, click q to close that window

10. Copy the Secret value (you have to highlight and right click to copy, ctrl+C doesn’t work)

11. Fill in the section for Authenticator key (TOTP) in Bitwarden

12. Save

13. The 6 digit code that is being generated is the 2fa code.  It may change at the exact same time as your phone, but it will match within a cycle.

14. Launch the shared email account again

    1. Click on the icon at the top right of the screen (the second one down)

    2. Click ‘add account’

    3. Log into that account (get pw from BW)

When the account is set up, you will see the Authenticator key (TOTP) is filled in with a long code. Next to that code, you will see a six digit code. This is your OTP and it refreshes every 30 seconds. 

You can click the copy icon to copy the code, then click the launch button to open gmail and log in. 

When you are asked for a code, you can copy it from the extension or from the vault, whichever you prefer.