Set up 2-Step Verification
Sign in to mobile or desktop apps
Users enrolled in 2-Step Verification need to periodically enter a special verification code, in addition to their username and password, to sign in to G Suite. When signing in from a web browser, they're prompted to enter this code after entering their password. However, desktop and mobile applications aren't configured to accept a verification code—there's no field for entering it. In these cases, they need to sign in by entering another type of code—called an app password—in place of their Google Account password.
How do my users generate and use app passwords?
Have your users follow the instructions in Sign in using app passwords.If these directions don't work, you can try these alternate directions
- Sign in to your G Suite Gmail Account and click Account Settings (at the top right corner of the window).
- Click Authorizing applications & sites. (Note: You can only generate app passwords if you're enrolled in 2-Step Verification).
- Go to your Authorized Access to your Google Account page: https://www.google.com/a/your_domain/IssuedAuthSubTokens. Be sure to replace "your_domain" with your actual domain name.
- Enter your password, if prompted.
- On your Authorized Access to your account page, provide a descriptive name for your app password, such as "Gmail Android". (This lets you remember which application it's for, in case you later need to revoke it).
- Click Generate password.
2-Step Verification in a browser vs. a desktop or mobile app
|Web Browser application||Desktop application or mobile application|
|What||Enter a 2-Step Verification code||Enter an app password
Android 6.0 or later does not accept an app password. Users must enter their user-account password and then enter a 2-Step Verification code, which successfully adds the account.
|How||Get a verification code each time you need one, from your phone||Get an app password once from your Authorized Access to your Google Account page on the web|
|When||Once a month or when otherwise prompted||Only once when you set up a new application/device after you've enrolled in 2-Step Verification|
|Where||On a second page that appears after entering a username and password||In your G Suite Password field
Deployment tips for G Suite administrators
We recommend administrators to set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-Step Verification for your users and enters the app passwords where needed in their mobile devices and desktop applications. We also recommend that you train your users when to use 2-Step Verification codes and how to get their codes. See the 2-Step Verification email template to send your users and point your Help Desk or Support staff to this article and Troubleshoot 2-Step Verification to help them get up to speed.
If you are a G Suite API developer and use ClientLogin authentication, after you enroll in 2-Step Verification, you'll need to use an app password in place of your regular password.
App passwords are machine-generated passwords that you enter in your password field. App passwords are shown only at creation time, so for persistent API access, we recommend storing them in a secure place, as you would your password. App passwords do not expire, however, you can revoke them. For more information, see Turn off 2-Step Verification.
How to use your app passwords with APIs
For APIs using ClientLogin authentication, use your API app password in the Passwd attribute when making a POST request to the ClientLogin resource. An XML example of the POST request's body:
There is no difference between an app password used for API access and an app password used to access a desktop or mobile application: both are equivalent and provide the same privileges. To create an API app password, follow the directions in Sign in using app passwords.