Enforce two factor authentication in google compute engine projects

Question

I use google compute engine in an organisation of ~100 people. How do I make sure that all the accounts I add to a compute engine project have two factor auth enabled?

I searched google documentation for (enforce|ensure|mandatory) two factor (gcloud|gce|google cloud) but didn't find anything that answered my question.

This question is only partially answered. It is possible with Gsuite. It remains unknown if this can be done without Gsuite.

Answer 1

There is a new service called Cloud Identity.

Cloud Identity provides free, managed Google Accounts to users who don’t need G Suite Services, such as Gmail or Drive.

Relevant for you:

Directory and account security:

• Create and manage users.

• Create and manage groups.

• Manage account security by setting up basic 2SV or enhanced 2SV using security keys.

• etc...

Answer 2

Follow the instructions here to make 2-Step Verification mandatory in G Suite:

1. If you will require 2-Step Verification of all users in the domain or within an existing organizational unit (OU), you may skip this step. If you need to have a different 2-Step Verification setting for a select group of users within an organization, create an admin-managed group containing all such users. See Use exception groups for detailed instructions on creating custom groups.
2. On the dashboard, click Reports, then select Security. Confirm that all users to be forced into 2-Step Verification are already enrolled in it, indicated by "Enrolled" in the 2-Step Verification Enrollment column.
3. On the dashboard, click Security > Basic settings > Enforce 2-Step Verification on users.
4. Select the organization where you wish to make 2-Step Verification mandatory. Then select Turn on enforcement. 2-Step Verification will become mandatory within 24 to 48 hours after turning on enforcement.
5. To have a suborganization inherit the 2-Step Verification setting from its parent organization, click the Use inherited button that appears near the right margin when you hover over the Authentication pane.
6. If you would like to exempt a group of users, select the group name (created in step 1) on the right-hand side keeping the organization selected on the left-hand side of the page and select Turn off enforcement. This will apply 2-Step Verification to all users in the selected organization except the users in the exception group.
7. Save your changes.

All users of the selected organization are now required to enter a secondary code from their mobile device.

Reference: https://support.google.com/a/answer/2548882?hl=en