MFA for Google Workspace: the Cyber Essentials v3.3 setup
Google Workspace 2-Step Verification (2SV) configuration that passes Cyber Essentials v3.3: user rollout, admin hardening, and closing the "less secure app access" loophole.
MFA for Google Workspace: the Cyber Essentials v3.3 setup
Google Workspace handles MFA via 2-Step Verification (2SV). For Cyber Essentials v3.3 compliance, every Workspace domain needs a specific 2SV configuration. This guide is the quick playbook.
For the scheme-level rules, read the MFA pillar.
2SV enforcement for all users
1. Google Admin → Security → Authentication → 2-Step Verification.
2. Allow users to turn on 2-Step Verification: ON.
3. Enforcement: ON.
4. New user enrolment period: 14 days (industry standard).
5. Methods allowed: Security Keys, Authenticator App, Prompt - but NOT SMS as the only option for admins.
6. Frequency: every sign-in on untrusted devices.
7. Save.
Admin hardening
Google offers Advanced Protection Program (APP) for admin accounts. Under v3.3, every Super Admin should be enrolled in APP:
1. Super Admin signs in at g.co/advancedprotection.
2. Register two FIDO2 security keys (primary + backup).
3. Enrol.
Once enrolled, Advanced Protection enforces FIDO2-only authentication and blocks dangerous file downloads. This exceeds v3.3 minimum.
Closing the legacy-app loophole
Google Workspace includes "Less Secure App access" which bypasses MFA entirely. Turn it off:
1. Admin → Security → Less Secure Apps.
2. Disable access to less secure apps for all users.
Also turn off email IMAP/POP for users who do not need it:
1. Admin → Apps → Google Workspace → Gmail → End user access.
2. Disable POP / IMAP for user organisations that only need web access.
Organisational units for granular rollout
If you have many user groups with different MFA needs, create organisational units:
- /Admins - APP enforced, FIDO2 only.
- /Finance - 2SV enforced, Authenticator app or FIDO2.
- /Staff - 2SV enforced, any method.
- /Contractors - 2SV enforced, SSO-only access to Workspace.
What to show the assessor
Prepare screenshots of:
- Admin → Security → 2-Step Verification → Enforcement status.
- User list showing 100% 2SV enrolment (Admin → Directory → Users, column 2-Step Verification).
- Less Secure Apps disabled.
- APP-enrolled admins.
SMS: use sparingly
SMS is acceptable for end users but not admins under v3.3. If you must allow SMS for a user, document why in the CE submission and show that Authenticator app is also enabled as a fallback.
Common failures
"Allowed but not enforced"
2SV switched on at the policy level but users can still opt out. Move to enforcement so every user must enrol.
Admins still using SMS
SMS is never acceptable for privileged accounts under v3.3. Upgrade Super Admins to FIDO2 security keys via Advanced Protection Program.
Less Secure Apps enabled
Less Secure App access bypasses 2SV entirely. Disable organisation-wide so attackers cannot route around MFA via legacy clients.
POP/IMAP clients on mobile
Older mail apps using POP/IMAP can bypass 2SV on some providers. Migrate users to the Gmail app, which respects the 2SV policy on every sign-in.
Bottom line
Google Workspace 2SV can be made v3.3-compliant in under an hour for a small organisation. Enforce for all users, APP for admins, close the legacy-app loophole, and you are done.
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demoMore from Technical Guides