Consider switching to another source of auth than Google
This was originally set up to use Google so we could enforce 2SV for card representatives access card data.
This auth flow now goes Google > Shibboleth > MS (with MFA) > Shibboleth > Google (with 2SV) so Google's 2SV is now unnecessary.
Considered the implications of changing this, perhaps to SAML2 to shibboleth, or direct OAuth to MS.