See Sign in using application-specific passwords for instructions for users on how to generate and use application-specific passwords.
Users enrolled in 2-step verification need to periodically enter a special verification code, in addition to their username and password, to sign in to Google Apps. When signing in from a web browser, they're prompted to enter this code after entering their password. However, desktop and mobile applications aren't configured to accept a verification code—there's no field for entering it. In these cases, they need to sign in by entering another type of code—called an application-specific password—in place of their Google Account password.
When do my users enter an application-specific password instead of a password?
Your users only need to enter an application-specific password once per application, per device, after enrolling in 2-step verification. For example, they'll need to enter one code when first signing in to Gmail on their smartphone, and another code when first signing in to Google Talk on their desktop. And as when entering a regular password, if they enter their code and select Stay signed in, they won't have to re-enter their application-specific password the next time they sign in to their account.
Tip: If your user has just enrolled in 2-step verification and they're signing in to a desktop or mobile application, and their Google Apps password doesn't seem to work, instruct them to enter an application-specific password, instead.
Important: To ensure that your users' application-specific passwords aren't stolen, instruct them to never enter their code on a web page. Application-specific passwords should only be used with installed desktop applications and smartphones, and devices that sync to their Google Account (such as digital cameras or picture frames that sync to Picasa).
2-step verification in a browser vs. a desktop or mobile app
|Web Browser application||Desktop application or mobile application|
|What||Enter a 2-step verification code||Enter an application-specific password|
|How||Get a verification code each time you need one, from your phone||Get an application-specific password once from your Authorized Access to your Google Account page on the web|
|When||Once a month or when otherwise prompted||Only once when you set up a new application/device after you've enrolled in 2-step verification|
|Where||On a second page that appears after entering a username and password||In your Google Apps Password field|
Which applications typically require an application-specific password?
Any desktop or mobile application that doesn't prompt your users to enter a 2-step verification code at least once after they enroll in 2-step verification.
Common applications and devices that require an application-specific password include:
- Gmail and Google Calendar on Android-based phones
- ActiveSync for Windows Mobile and iPhone
- IMAP clients such as Thunderbird
- Installed chat clients such as Google Talk and Adium
- Syncing with applications on your desktop like Picasa
- Programmatic access via API--(see API Developers)
How do my users get application-specific passwords?
Have your users follow the instructions in Sign in using application-specific passwords.If these directions don't work, you can try these alternate directions
- Sign in to your Google Apps Gmail Account and click Account Settings (at the top right corner of the window).
- Click Authorizing applications & sites. (Note: You can only generate application-specific passwords if you're enrolled in 2-step verification).
- Go to your Authorized Access to your Google Account page: https://www.google.com/a/your_domain/IssuedAuthSubTokens. Be sure to replace "your_domain" with your actual domain name.
- Enter your password, if prompted.
- On your Authorized Access to your account page, provide a descriptive name for your application-specific password, such as "Gmail Android". (This lets you remember which application it's for, in case you later need to revoke it).
- Click Generate password.
Deployment tips for Google Apps administrators
We recommend administrators to set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-step verification for your users and enters the application-specific passwords where needed in their mobile devices and desktop applications. We also recommend that you train your users when to use 2-step verification codes and how to get their codes. See the 2-step verification email template to send your users and point your Help Desk or Support staff to this article and Troubleshoot 2-step verification to help them get up to speed.
If you are a Google Apps API developer and use ClientLogin authentication, after you enroll in 2-step verification, you'll need to use an application-specific password in place of your regular password.
Application-specific passwords are machine-generated passwords that you enter in your password field. Application-specific passwords are shown only at creation time, so for persistent API access, we recommend storing them in a secure place, as you would your password. Application-specific passwords do not expire, however, you can revoke them. For more information, see Turn off 2-step verification.
How to use your application-specific passwords with APIs
For APIs using ClientLogin authentication, use your API application-specific password in the Passwd attribute when making a POST request to the ClientLogin resource. An XML example of the POST request's body:
There is no difference between an application-specific password used for API access and an application-specific password used to access a desktop or mobile application: both are equivalent and provide the same privileges. To create an API application-specific password, follow the directions in Sign in using application-specific passwords.