Google Workspace user MFA disabled
Description
AlphaSOC detected a user-level MFA disable event via the audit action
2sv_disable. This indicates an account had its two-step verification turned
off. While users may disable MFA for legitimate reasons (device replacement,
account changes), this removal of per-account protection can increase the risk
of account takeover, especially for accounts with elevated privileges.
Impact
Disabling MFA for a user increases the likelihood that credential compromise leads to unauthorized access. If privileged accounts are affected, this can result in escalation and access to sensitive data or administrative functions.
Severity
| Severity | Condition |
|---|---|
Low | Google Workspace user MFA disabled |
Investigation and Remediation
Identify the affected user and the actor recorded in the audit event. Confirm whether the disable was authorized and check recent authentication attempts and device changes. If unauthorized, re-enable MFA for the account, require password or token rotation, and review recent access for suspicious activity. Enforce policies that require validated change requests for MFA removal and monitor for patterns of repeated disables.