Set up 2-Step Verification

Protect your business with 2-Step Verification

These articles are for administrators. Enterprise users should see Turn on 2-Step Verification.

Use 2-Step Verification (2SV) to protect accounts from unauthorized access. 2SV puts an extra barrier between your business and cybercriminals who try to steal usernames and passwords to access business data. Turning on 2SV is the single most important thing you can do to protect your business.

What is 2-Step Verification?

2SV requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code delivered to a device). It’s also called multifactor authentication (MFA) or 2-factor authentication (2FA).

Do small businesses need 2-Step Verification?

Cybercriminals are increasingly targeting small businesses. If a hacker gets into your administrator account, they can see your email, documents, spreadsheets, financial records, and more. A hacker might be able to steal or guess a password, but they can’t reproduce  something only you have.

2-Step Verification methods

Security keys

Security keys are the most secure form of 2SV and protect against phishing threats. Users typically insert this physical key into a USB port on a computer. When prompted, a user touches the key.
With Android mobile devices, a user taps the security key on their Near Field Communication (NFC) enabled device. You can also find USB and Bluetooth® Low Energy (BLE) options for Android devices. Apple® mobile devices need Bluetooth-enabled security keys.

Google prompt

Users can set up their Android or Apple mobile devices to receive a sign-in prompt. When they sign in to their Google Account on their computer, they get a "Trying to sign in?" prompt on their mobile device. They simply confirm by tapping their mobile device.

Google Authenticator

Google Authenticator generates single-use 2SV codes on Android or Apple mobile devices. Users generate a verification code on their mobile device and, when prompted, enter it on their computer. They can enter it to sign in to a desktop, laptop, or even the mobile device itself.

Backup codes

If a user is away from their mobile device or works in a high-security area where they can't carry mobile devices, they can use a backup code for 2SV. Users can generate backup verification codes and print them ahead of time.

Text message or phone call

Google sends a 2SV code to mobile devices in a text message or voice call.

Best practices for 2-Step Verification

Enforce 2-Step Verification for administrators and key users

You can make 2SV optional or required for your users. We recommend enforcing 2SV for your administrator account and users who work with your most important business information.
  • The administrator account is the most powerful account because it can delete users, reset passwords, and access all your data.
  • Users who work with sensitive data such as financial records and employee information should also use 2SV.

Consider using security keys in your business

Because security keys are the strongest 2SV method, consider using them in your business.
  • Security keys—The strongest 2SV method, and they don’t require users to enter codes or carry a mobile phone. You can buy Titan Security Keys from the Google Store or order a compatible security key from a retailer you trust.
  • Alternatives to security keys—Google prompt or the Google Authenticator app are good alternatives if you decide not to use security keys. Google prompt provides a better user experience than Google Authenticator, because users simply tap their device when prompted (instead of entering a verification code).
  • Text messages are discouraged—They rely on external carrier networks and might be intercepted.

What's next?

Was this helpful?
How can we improve it?