> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# MFA should be enabled for all users

> Checks that MFA is enabled for all Google Workspace users.

Checks that MFA is enabled for all Google Workspace users.

## About

When you connect Google Workspace to DSALTA, the platform syncs your users, roles, and access settings using read-only API access. DSALTA evaluates this control on every sync. If the requirement is not met, DSALTA activates this check.

## Why This Matters

A password alone is a single point of failure. If it is phished, guessed, or reused from a breached site, an attacker gains full access. Multi-factor authentication adds a second verification step that blocks the vast majority of account-takeover attempts and is a baseline requirement across SOC 2, ISO 27001, and most security frameworks.

## How to Fix

**Before you begin**

* Ensure you have **Super Admin** access to the Google Admin Console.

**Enforce 2-Step Verification**

1. Sign in to the [Google Admin Console](https://admin.google.com/).
2. Navigate to **Security → Authentication → 2-Step Verification**.
3. Check **Allow users to turn on 2-Step Verification**.
4. Set **Enforcement** to **On**, choose an enforcement date, and select the allowed methods.
5. Apply to all users or specific organizational units, then click **Save**.

Once 2-Step Verification is enforced for all users, DSALTA retrieves the change on the next sync and sets the check status to **Passing**.

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="How often does this check run?">
    This check runs automatically every 24 hours while the Google Workspace integration is connected. You can also trigger a manual sync from **Integrations** in the sidebar.
  </Accordion>

  <Accordion title="What happens if it keeps failing?">
    A failing check appears in your **Data Library → Tests** dashboard. Work through the steps above; once the underlying configuration is fixed, the status updates automatically on the next sync.
  </Accordion>

  <Accordion title="Can I exclude this check?">
    Yes. If it does not apply to your environment, mark it as **Not Applicable** with a justification. The exclusion is documented for auditors.
  </Accordion>

  <Accordion title="Does DSALTA change my Google Workspace configuration?">
    No. DSALTA uses **read-only API access** and never modifies, creates, or deletes resources. All remediation is performed by your team directly in Google Workspace.
  </Accordion>
</AccordionGroup>