Functional Accounts are used across campus for various purposes and services (email, calendar, drive storage, etc.).

MFA solutions available for Google Workspace include Campus SSO+Duo or Google Authentication+2SV.

Newly created Connect functional accounts have a 7-day grace period to set up 2SV.  Anyone signing into the account within those first 7 days will be prompted to set up 2SV along with the link to enroll (as seen in the screenshot).  If 2SV is not set up within those 7-days, the account will be automatically locked.

Connect functional accounts are not exempt from MFA requirements.  This is general guidance for using or sharing Connect Functional Accounts with 2SV enabled.

  1. Using Delegation for Email and Calendar-Sharing, and setting up Drive-Sharing can solve non-public workstations/accounts.  You can delegate a functional account to an individual(s) or to a Google Group.  When delegating access to a Google Group, members of that group have delegated access.  See Delegating Access to your Account
  2. Use an authenticator app such as Duo MFA or Google Authenticator.  Refer to the links at the bottom of the Enabling Google's 2-Step Verification page
  3. Use an Identity functional account -  Identity functional accounts are created in the Identity and Access Management system so they have a UCSBnetID.  Multiple user phone numbers/devices can be used with Duo access to the same account.
  4. Create unique student-worker (Connect) functional accounts - This is currently done by some departments to separate student work from user email. It is recommended that only one student has access to a student-worker functional account at a time (the functional account can be rotated to a new student-worker as positions change).  This allows for the setup of Delegated Access to a shared functional account on a public workstation without exposing a personal user account.
    • Example: student-worker1@connect.ucsb.edu is allocated to Jane Gaucho and student-worker2@connect.ucsb.edu is allocated to Joe Gaucho, and they are given access to the credentials for that account. Both student-worker1@connect.ucsb.edu and student-worker2@conenct.ucsb.edu is given delegated access to frontdesk@connect.ucsb.edu connect functional  account.
  5. Use a Secret Management tool with the ability to store Time-Based One-Time Password (TOTP). This requires expansion of user access to your Secret Management tools.  There is not a UCSB wide solution for Secret Management.
  6. Risk assessment/acceptance and bypass.  A temporary bypass process for Duo and Google 2SV exists to track bypass requests.  This provides 3 days for temporary bypass.  A permanent bypass would require a Risk Assessment.  This would begin with a request to the CISO.