Like most observers, I celebrated Google’s recent announcement on April 9th about new multi-party approvals for a handful or so of common actions accomplished by super admins in Google Workspace.
In short, when particular high-risk actions are being performed (such as account recovery), admins can require another super admin to approve the action before it is performed.
Multi-party approval is turned on by default for domains with two or more super admins. Currently, covered high-risk actions defined by Google are [with my additional explanations]:
- Two-Step Verification [i.e., enabling or disabling two-step verification for a user]
- Account recovery [i.e., allowing users to self-recover or not]
- Advanced Protection [i.e., enabling or disabling Advanced Protection for a user]
- Google session control [i.e., limiting a user session before they have to re-authenticate]
- Login challenges [i.e., enable or disable user login challenges]
- Passwordless [i.e., enabling or disabling FIDO passkeys]
Many of the covered actions have been increasingly abused by attackers, including ransomware gangs, which I am sure is why this feature was implemented and rolled out.
I think this is a GREAT idea! I have no criticism of it or the way Google implemented it. It is well done, fairly automatic with a great admin user interface experience and solid defaults. I hope Google does it more, in more places, with more potential actions included. I am sure this will motivate other vendors and competitors to do the same. Multi-party approvals will for sure make some malicious actions harder on hackers.
Two points, one small, one more important.
First, multi-party approvals are really just an implementation of something known as automated workflows. Many products, commercial and custom, have included automated workflows for decades. For example, many help desk products have included workflow automation to approve particular requests, including high risk admin actions.
The best help desk software often allows any action to have automated workflows requiring multiple approvers. Hundreds of thousands of companies have long had internal, customized automated workflows.
When I worked at Microsoft (over 6 years ago), we had many internal automated workflows. For example, employee password resets required not only Help Desk approval and identity verification, but also the employee’s boss's approval.
The employee’s boss would receive an email from the help desk stating that the employee was requesting a password reset, ask the boss to verify that it was the employee actually needing the password reset, and all the boss had to do was click “Yes” on the email for the password reset request to go through. It was all automated.
Leaders would also be sent semi-annual email notices about what folders and files their employees had access to and would have to confirm that the access should still be granted going forward (or at least until the next access control verification email). If the leader did not respond to the request, the employee’s access to the protected resource was cut off.
Some types of sensitive digital certificates (such as code signing certificates) had a multi-party approval process. It has been built into Microsoft’s Active Directory Certificate Services product for over two decades.
What is different here is Google is putting it into their cloud platform, including a number of common high-risk scenarios, and enabling it by default (for many customers). I do not know if one of Google’s competitors also does something like multi-party approvals, but AFAIK it is the first within a customer’s admin console for a major cloud vendor. So, kudos to Google for doing it. I hope success breeds more of it.
But one big reminder, although multi-party approvals make it harder for hackers to be successful, hackers will still be successful. It is not like multi-party approvals get implemented and all the social engineering hackers close up shop and go home… any more than they did when multi-factor authentication (MFA) started being pushed in a big way by the major vendors.
If a good social engineering scam can convince one admin to do something, it can just as nearly easily convince two admins to do the same thing. If your CEO is blowing you up on the phone that their MFA is not working while they are in a big business deal and they need their account recovered, that stress will work equally well on two admins. This is to say, like MFA, multi-party approvals are great, but not perfect defenses. Hackers will get around it. Social engineers will update their scams to get around it.
We know this because hackers always adapt and overcome (at least so far). In the recent past, MFA is/was touted as the way to stop hackers! Remember all utter nonsense from the “experts” claiming MFA stopped 99% of attacks ? Then it turns out that 90% of MFA is easily susceptible to adversary-in-the-middle attacks and now we have millions of MFA users who have been hacked.
At first, attackers had to manually bypass MFA. But now almost all password-stealing malware and automated adversary-in-the-middle attacks have been updated to bypass the most popular forms of MFA used by most people.
It does not take an uber hacker to bypass MFA any longer, just someone willing to spend $50 to buy a phishing kit. Once a weakness in a defense is spotted, hackers will figure out a way to abuse it, and eventually the attack gets automated. The same thing will likely happen with multi-party approvals. They are great. Use them where you can. But multi-party approvals are not impenetrable.
Anything that makes a hacker’s life harder is a good thing and is welcomed. Just do not implement it and think you can sit back and forget the security basics. You will still have to be on the lookout for hackers and social engineers. You will still have to hover over links to review them before clicking on them. You will still have to confirm it is your CEO asking for the account recovery and not just some AI-generated deepfake.
Verify, then trust.
Here's how it works:
