Can we use Duo security for 2FA for G-Suite admins?
When you protect Google GSuite with SSO access that features Duo (Duo Access Gateway, AD FS with Duo plugin, Okta with Duo MFA enabled, etc), “regular” GSuite admins and all end users will have to sign in with their federated account and then perform Duo MFA.
Google does not apply SSO settings to GSuite “super administrator” accounts, so those admins will continue to use username/password to authenticate. Additionally, Google does not let you selectively enable SSO for some users/admins. Once enabled it applies to everyone (except “super administrators” as mentioned.).
Learn more about the use and limitations of SSO for GSuite:
If you do not want to federate GSuite with a third-party IdP, you can require that your admins secure their Google accounts with an authenticator app for two-step verification, and instruct them to use Duo Mobile instead of Google Authenticator. When they log in they will provide a passcode generated by Duo Mobile.