by I work for a K-12 school district and we use Google Apps for EDU which is built on top of Google Apps for Business. We have tied this into our local authentication systems so when a staff or student changes their password locally it also changes their password on Google Apps. It worked pretty well until a few weeks ago our users started seeing messages like this http://i.imgur.com/BM89eJf.png when they tried to log in. This fails in so many different ways:
- For a student, we are not allowed to enter or ask a student to enter a student phone number as that is against federal law (FERPA) unless you get a signed consent form
- They make you pick the country even though they know the machine is in our school district (ever hear of geolocation)
- The 'Reset your password' link does not work as the domain uses our local authentication servers instead of Google's authentication servers
- The 'Learn more' link leads to a page that makes no sense in the our context and it cannot be changed
- There is no way to avoid this from happening
- It happens at random and often at bad times (e.g. ever try to get 30 kids logged in and 5 of them have this happen). Imagine how the teacher feels as they have to waste 4 minutes per 5 kids (20 minutes) of a 50 minute class just getting them logged in to Google.
- The change was forced upon us with no warning so we found out about it via a confused and upset folks calling our helpdesk.
Google's answer to our queries for help is that we are stuck with it:
"Let me explain that K-12 EDU users are exempt from most of the Login Challenge prompts, but are not exempt from the specific prompt which begins with "Verify it's you". I realize this behavior is not ideal, since students under 12 years may not have phone numbers. The specific prompt they have reported is expected product behavior, it occurs on occasions where suspicious login activity is detected and we are unable to determine the previous location they were logging in from. When this happens, the student can either resolve the challenge via SMS with the help of a parent/teacher or they can contact the Admin who can temporarily disable the challenge from inside the Admin console (even reset the password afterwards). Unfortunately, I don't have tools which can disable the security step. I realize that this can disrupt the regular workflow and I hope you understand the sensitive nature of the issue. Security is of Google's highest concern."
UPDATE 1: After working with Google support, their hands are tied. I have posted to the K-12 lists in the Pacific Northwest and we are not the only district dismayed by this decision. I can see a few ways to fix this such as:
- use reverse dns to disable it for any computer logging in from the school's domain
- use ip geolocation to disable it for any computer in the local region.
I found out we had a class of 20 teachers this week with 7 of them affect by this. For each one we had to enter in the classroom phone number, wait for a callback, enter it in. This was confusing and delayed the start fo of the class and really made a good impression of Google for first time users – NOT!
UPDATE 2: Good news, another person at Google said they have disabled it for our domain (I hope all K-12 domains). We should know in a few weeks if this is true. Keeping my fingers crossed.