Enable 2-step verification for your domain
- Sign in to the Google Admin console.
- Do one of the following:
- Under 2-step verification, check Allow users to turn on 2-factor authentication.
This makes 2-step verification available for your users, but does not automatically enroll them. To enroll, users need to configure their verification settings individually. See Set up 2-step verification for users.
Account recovery recommendations for administrators
Here are recommendations to make administrator use of 2-step verification more reliable and secure:
- Avoid using secondary email addresses that do not support 2-step verification themselves. If those accounts become compromised, so can your Google Apps administrator account.
- Organizations with multiple administrators should use each other's help for account recovery rather than a secondary email address.
- Organizations with a single administrator should print out backup codes to speed account recovery and avoid the use of insecure secondary email addresses.
- Administrators who want more control over how codes are received are encouraged to use our smartphone app with up-to-date software, and printed backup codes.
- Your users won't be able to enroll in 2-step verification by going to https://www.google.com/accounts/SmsAuthConfig. Instead, instruct your users to follow these steps to get to their 2-step enrollment page.
- The URL https://www.google.com/accounts/IssuedAuthSubTokens won't take your users to the Authorized Access to your Google Account page. Instead, instruct your users to follow these steps to generate an application-specific password for their mobile device.
And to help users make a smooth transition to using their new sign-in process, we recommend that you deploy this security feature as follows:
- Notify your users of this new security process and include instructions on how to get started. See a sample email notification.
- Point your Help Desk or Support staff to the Troubleshooting 2-step verification information to help them get up to speed.
- Consider running a pilot program targeting users with smartphones. You can set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-step verification for your users and enters application-specific passwords where needed in their mobile devices and desktop applications.
- Once all users have enrolled in 2-step verification, you may enforce its use following the instructions in Manage your users' security settings.
Disable 2-step verification for your domain
Uncheck Allow users to turn on two-factor authentication to prevent new enrollments or modification of existing enrollments. Users who have already enrolled would continue to be asked for 2 factor code.
- In your Admin console, go to the Users page.
- Click an individual user.
- Unenroll the user:
- In the classic Admin console, go to User information > 2-factor authentication.
- In the new Admin console, click Show more > Security.
This change takes effect immediately. The user also receives an automated email from Google explaining that they are no longer enrolled.