Google Cloud Platform

Hi folks,

We currently protect GCP for all of our users.

Over the last few months, 4-5 users have been locked out due to GCP push requests popping up on their phones. They are not explicitly requesting these. The odd thing is that they come up exactly every 5 minutes until they are either locked out or they clear their browser cache (seems to only happen on Chrome). I know that these users don’t actually need access to GCP but are using other Google services like Youtube, gmail, etc.

I’ve posted this in the Google Cloud user groups and they suggest it might be something to do with a refresh token.

I’m just wondering if anyone else has come across this? Also, if I choose to protect GCP for only the users who do in fact use GCP, what behavior can I expect for my other users when they go to login to Youtube, gmail, etc.?

Any advice would be appreciated!

Thanks,
Pedro

Hey Pedro,
Thanks for sharing your question here! I’m hoping another admin or someone who has experienced this before can weigh in with some help. I see that you had a support case with the Duo team about this, and they said we couldn’t identify the origin of these requests and to investigate locally on the client side, which it seems you’ve done. My searches so far haven’t turned up anything, and I haven’t heard of other customers experiencing this before (but that doesn’t mean they haven’t!).
Not a super helpful response, I know. I just wanted to add some additional context for anyone else who sees your post and wants to respond.

Because G Suite and Google Cloud Platform (GCP) share the underlying domain’s authentication configuration (see this help article for reference), the way you protect GCP logins is using the Duo integration for G Suite, so my expectation is that those users who are not enrolled in Duo for GCP would be prompted to enroll or denied access, depending on your New User Policy settings. You could potentially set those users to bypass status (see Changing Users Status for more details) to allow them access without 2FA, but I’m not sure if that’s the best option.

Thank you Amy!

Yes, DUO was very helpful with the limited insight they have into this situation. I searched too and I couldn’t find much info. It hasn’t happened again and I’m confident it’s not malicious in nature (the 5 min attempts had us worried). So I think I’m going to leave it and communicate with my users and see if eventually I can pinpoint the behavior that creates these requests. The refresh token makes sense, I just don’t know what kicks it off as I use Youtube and other google services and don’t get the same requests.

1 Like