Set up 2-Step Verification
Sign in to mobile or desktop apps
Users enrolled in 2-Step Verification need to periodically enter a special verification code, in addition to their username and password, to sign in to Google Apps. When signing in from a web browser, they're prompted to enter this code after entering their password. However, desktop and mobile applications aren't configured to accept a verification code—there's no field for entering it. In these cases, they need to sign in by entering another type of code—called an application-specific password—in place of their Google Account password.
How do my users generate and use application-specific passwords?
Have your users follow the instructions in Sign in using application-specific passwords.If these directions don't work, you can try these alternate directions
- Sign in to your Google Apps Gmail Account and click Account Settings (at the top right corner of the window).
- Click Authorizing applications & sites. (Note: You can only generate application-specific passwords if you're enrolled in 2-Step Verification).
- Go to your Authorized Access to your Google Account page: https://www.google.com/a/your_domain/IssuedAuthSubTokens. Be sure to replace "your_domain" with your actual domain name.
- Enter your password, if prompted.
- On your Authorized Access to your account page, provide a descriptive name for your application-specific password, such as "Gmail Android". (This lets you remember which application it's for, in case you later need to revoke it).
- Click Generate password.
2-Step Verification in a browser vs. a desktop or mobile app
|Web Browser application||Desktop application or mobile application|
|What||Enter a 2-Step Verification code||Enter an application-specific password|
|How||Get a verification code each time you need one, from your phone||Get an application-specific password once from your Authorized Access to your Google Account page on the web|
|When||Once a month or when otherwise prompted||Only once when you set up a new application/device after you've enrolled in 2-Step Verification|
|Where||On a second page that appears after entering a username and password||In your Google Apps Password field|
Deployment tips for Google Apps administrators
We recommend administrators to set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-Step Verification for your users and enters the application-specific passwords where needed in their mobile devices and desktop applications. We also recommend that you train your users when to use 2-Step Verification codes and how to get their codes. See the 2-Step Verification email template to send your users and point your Help Desk or Support staff to this article and Troubleshoot 2-Step Verification to help them get up to speed.
If you are a Google Apps API developer and use ClientLogin authentication, after you enroll in 2-Step Verification, you'll need to use an application-specific password in place of your regular password.
Application-specific passwords are machine-generated passwords that you enter in your password field. Application-specific passwords are shown only at creation time, so for persistent API access, we recommend storing them in a secure place, as you would your password. Application-specific passwords do not expire, however, you can revoke them. For more information, see Turn off 2-Step Verification.
How to use your application-specific passwords with APIs
For APIs using ClientLogin authentication, use your API application-specific password in the Passwd attribute when making a POST request to the ClientLogin resource. An XML example of the POST request's body:
There is no difference between an application-specific password used for API access and an application-specific password used to access a desktop or mobile application: both are equivalent and provide the same privileges. To create an API application-specific password, follow the directions in Sign in using application-specific passwords.