How to organize a "General office" two-step authentication in Google Account?

There is an organization that uses Gmail for business to business correspondence. Each employee has a google account name.surname@company.com they can go into the shared mailboxes of type sales@company.com, purchase@company.com etc.

To reduce the risk of leakage of confidential data, the host organization wants its employees couldn't come into work mail, when physically located outside of the office. The ideal solution would be two-factor authentication with the use of a device are captured in the office-for example, the generator of one-time passwords in the form of a great big display on the wall.

Something similar could be constructed on the basis of Google Authenticator; but alas, one authenticator can be tied to only one google account, and displaying on the display twenty codes, one for each employee, we have them all only confuse.

For similar reasons do not fit FIDO U2F Security Key-one token can be linked to only one account, employees on different days sitting at different computers, and if they are allowed to move the token from one computer to another, they it home and just take.

Maybe someone already implemented something like that?
June 14th 19 at 21:41
1 answer
June 14th 19 at 21:43
Solution
Unfortunately, your problem is not solved only authentication, because the employee can "carry" out of the already authorized session (for example, to copy the cookies or just login on your phone or create collector to another mailbox, or connect to a mail program with OAuth authentication).
You need a system that will loginit user account, create a session in GMail and send it to the browser, for example, via a browser plug-in that will get ready session cookies and put them in the browser, maybe it is possible to organize the user profile in the browser. But other than that, it is necessary to terminate the session when the user goes home (for example when he logouted or after some period of inactivity).
Under this system you can for each GMail account to store the password + TOTP key, and already to access it to do some extra its a single authentication + authorization (which users which account is allowed to access).
Thanks for the idea, but in our case it is overkill: are not protected from targeted "spyware", and from situations of type "met in the bar of a friend, and after the second glass he decided with a phone to boast recently closed orders". - griffin_Kovacek commented on June 14th 19 at 21:46
well the General scheme does not change. Keep HOTP keys from a GMail account in a closed database, and the user authorize themselves in their base and show him the code generated by TOTP key from the desired account. - Robb45 commented on June 14th 19 at 21:49
it's an excellent suggestion! So started to do... and suddenly found that Google does not allow domain administrator restrict the choice of the second factor of authenticatie.
Ie, we show them our "office" TOTP codes, but nothing prevents them to add to your account, and use instead of our codes, your own Authenticator, or SMS, or anything else.

:-(

I wonder are there any options other than "plug-in browser, which will receive a ready-made session cookies and put them in the browser" ? - griffin_Kovacek commented on June 14th 19 at 21:52
maybe this can be done through third-party apps or Google Apps via SSO. Examples are here:
https://www.quora.com/How-to-lock-Google-apps-acco... - Robb45 commented on June 14th 19 at 21:55

Find more questions by tags GoogleOrganization of the workInformation security