google-workspace two-factor-authentication tailscale

Tailscale and configuring additional Google Workspace two-factor authentication for SSH connections

We are trialing Tailscale set-up for production server SSH connections. We are using Google Workspace as the identity provider for Tailscale.

Because production servers are more security critical than general data related to Google Workspaces, we'd like to ensure that any Tailscale session has a shorter session timeout and always be asked for two-factor authentication.

By default, Google Workspace asks two-factor authentication only once per browser, which is fine if you want to access Docs, email and such. It does not do additional two-factor authentication request after user has logged into the service in their browser.

Can Tailscale and Google Workspace identity provider configured so that for Tailscale application / integration (whatever is the correct language), Google prompts two-factor authentication code every 24h minimum?
Does Google Workspace support per-application security rules for login to make some applications more security critical?
We also found out that Tailscale SSH, unlike e.g Cloudflare Zero, does not seem to work with google-authenticator PAM module which could be a workaround. Please correct me if I am wrong here.

Solution

One way to solve this is to use Passkey authentication (currently in beta mode for Tailscale).

Passkey authentication can be performed on your paired mobile phone when using Google Chrome or a hardware device on Firefox (Yubikey)
The added bonus is that Passkey is more secure than password as it is tied to a security enclave of a specific device and is phishing proof
Passkey also does not you to require to open additional accounts on identity providers (Google, Okta, Microsoft, Apple)
Passkey authentication correctly respects any session timeout you can configure for it, e.g. to avoid issues with stolen devices

Here is an example how to configure timeout:

{
    "acls": [
        // Allow all connections.
        {"action": "accept", "src": ["*"], "dst": ["*:*"]},
    ],
    "groups": {
        "group:operator": [
            "foo@passkey",
            "bar@passkey",
        ],
    },
    "tagOwners": {
        "tag:prod": ["group:operator"],
    },
    "ssh": [
        // The default SSH policy, which lets users SSH into devices they own.
        // Learn more at https://tailscale.com/kb/1193/tailscale-ssh/
        {
            "action":      "check",
            "src":         ["group:operator"],
            "dst":         ["tag:prod"],
            "users":       ["autogroup:nonroot"],
            // Force reauth every 24h
            "checkPeriod": "24h",
        },
    ],