Google Apps

Enable 2-step verification for your domain

1. Sign in to the Google Admin console.
2. Do one of the following:
   • In the classic Admin console, click Advanced tools and scroll to Authentication.
   • In the new Admin console, click Security > Basic settings.
     ^{Where is it? Which Admin console do I have?}
3. Under 2-step verification, check Allow users to turn on 2-factor authentication.

This makes 2-step verification available for your users, but does not automatically enroll them. To enroll, users need to configure their verification settings individually. See Set up 2-step verification for users.

Account recovery recommendations for administrators

Here are recommendations to make administrator use of 2-step verification more reliable and secure:

• Avoid using secondary email addresses that do not support 2-step verification themselves. If those accounts become compromised, so can your Google Apps administrator account.
   
• Organizations with multiple administrators should use each other's help for account recovery rather than a secondary email address.
   
• Organizations with a single administrator should print out backup codes to speed account recovery and avoid the use of insecure secondary email addresses.
   
• Administrators who want more control over how codes are received are encouraged to use our smartphone app with up-to-date software, and printed backup codes.

Tips for deploying to users

• Your users won't be able to enroll in 2-step verification by going to https://www.google.com/accounts/SmsAuthConfig. Instead, instruct your users to follow these steps to get to their 2-step enrollment page.


• The URL https://www.google.com/accounts/IssuedAuthSubTokens won't take your users to the Authorized Access to your Google Account page. Instead, instruct your users to follow these steps to generate an application-specific password for their mobile device.

And to help users make a smooth transition to using their new sign-in process, we recommend that you deploy this security feature as follows:

1. Notify your users of this new security process and include instructions on how to get started. See a sample email notification.
2. Point your Help Desk or Support staff to the Troubleshooting 2-step verification information to help them get up to speed.
3. Consider running a pilot program targeting users with smartphones. You can set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-step verification for your users and enters application-specific passwords where needed in their mobile devices and desktop applications.
4. Once all users have enrolled in 2-step verification, you may enforce its use following the instructions in Manage your users' security settings.

Disable 2-step verification for your domain

Uncheck Allow users to turn on two-factor authentication to prevent new enrollments or modification of existing enrollments. Users who have already enrolled would continue to be asked for 2 factor code.

Unenroll individual users

1. In your Admin console, go to the Users page.
2. Click an individual user.
3. Unenroll the user:
   • In the classic Admin console, go to User information > 2-factor authentication.
   • In the new Admin console, click Show more > Security.

This change takes effect immediately. The user also receives an automated email from Google explaining that they are no longer enrolled.