Set up 2-Step Verification
Add 2-Step Verification
These articles are for Google Apps Administrators. End users should see About 2-Step Verification.
2-Step Verification adds an extra layer of security to your users' Google Apps accounts by requiring them to enter a verification code in addition to their username and password when signing in to their account.
Why should I enable 2-Step Verification for my domain?
2-Step Verification helps protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone, or via an encrypted signature contained on a security key.
- You need to have a mobile phone that can receive the verification code via text message or phone call, or an Android, BlackBerry, or iPhone. These devices use the Google Authenticator mobile app to generate the verification code.
- Note: 2-Step Verification can't be used for accounts using a SAML single sign-on service (SSO). See SAML SSO Service for Google Apps.
Note: If you're an API developer using ClientLogin authentication, read API Developers before enrolling in 2-Step Verification.
How it works
- You enable 2-Step Verification for your domain in your Google Admin console. See Set up 2-Step Verification for your domain for how to enable 2-Step Verification for your account. We recommend that you notify your users of this new security process and include instructions on how to get started.
Note: Although users must opt-in to 2-Step Verification themselves, you may require them to do so. Do not make this change until all users have opted in, or they will be locked out of Google Apps. See the Enforcement article for instructions.
- The user enrolls in 2-Step Verification, and selects the method for receiving their verification code on their mobile phone: the Google Authenticator app, text message, or phone call. How quickly they get their code via text message or phone call depends on their service provider and location. We recommend users with smartphones to use the Google Authenticator app which can generate codes without a network connection. Point your users to About 2-Step Verification for step by step instructions.
- The next time the user signs in to their Google Apps account on a new browser or device, they enter their username and password as usual. They're then prompted with a second page to enter a verification code. When your user checks Remember verification for this computer, they're only prompted to enter a verification code once every 30 days per browser or after deleting their browser's cookies. Your users should not check this if they're at a public or shared computer.
- Depending on how they opted to receive their code, the user gets their time-based, one-time code from the Google Authenticator app on their smartphone or via text message or phone call. They then enter the code to successfully sign in.
- If a user loses their phone, they can use backup codes to sign in. See Sign in using backup codes.
Signing in to mobile devices with application-specific passwords
Once your users enroll in 2-Step Verification, they may need to use application-specific passwords in addition to their verification codes. For installed applications that don't have a 2-Step Verification field, your users will need to enter an application-specific password once per device or application in place of their regular password to access their Google Account.
Common devices and applications that require application-specific passwords are: Gmail and Google Calendar on Android-based phones, ActiveSync for Windows Mobile and iPhone, and IMAP clients such as Thunderbird. See Sign in to mobile or desktop apps for more details.
Remember that good security practices are critical to the integrity of your user's Google Account. Learn more at Keeping your account secure.
Note: The Google Apps Service Level Agreement does not apply to any services used in connection with 2-Step Verification if the verification process relies on third-party voice or data providers to deliver the verification code.
Note: When you disable 2-Step Verification for a user their registered security keys are revoked.
Note: We suggest that users with personal account information on their security keys should revoke access to that information before returning their security key.