For some reason, users are forced to activate at least one 2FA method (SMS, token or cellphone alerts) before being allowed to activate TOTP (via Authenticator).
SMS is an insecure method of 2FA, because telephone companies are usually susceptible to social engineering attacks that can transfer your number to an unauthorized user. If you disable SMS as a 2FA method, this means your users need to either have a physical token or connect their mobile devices to their work account before they can use TOTP.
If you don’t want users to connect their personal mobile devices to their work account, either because your company policy or national laws don’t allow it, or simply because you don’t want them to mix personal and professional data, then the only way you can enroll users to 2FA is using a physical token and then activate TOTP.
This is frankly unreasonable and creates a huge headache for adding new users to Google Workspace.
Luckily, there is a workaround so that new users can use 2FA only with Authenticator without requiring any other action from their part or linking their account to their phone/landline.
1 – Create an OU where all forms of 2FA are accepted. Let’s call it “Onboarding”. All other OUs should not tolerate SMS/Phone call 2FA.
2 – Create a new user account directly into this “Onboarding” OU.
3 – Log into the new account. Activate 2FA using SMS or phone call verification with a corporate line or similar. I suggest a corporate landline.
4 – Log out of the account. As an admin, generate backup codes for the account and reset the password.
5 – Move the account to the desired OU, which blocks SMS/Phone call 2FA.
5 – Give the user of the account the new password and the backup codes.
6 – Instruct the user to log into the new account using their password + backup code, go into myaccount.google.com and activate 2FA via Authenticator.
What happens is:
* The user now has 10 backup codes they can use. This means they have to activate Authenticator before the codes run out or they will be locked.
* This also means you don’t need to prod the user to activate 2FA or check it before moving the account to the right OU. The ball is on their side.
* The user cannot use SMS/Phone call 2FA.
* The user CAN, however, keep generating new backup codes infinitely. This is a downside.