Add 2-Step Verification
These articles are for administrators. End users should see About 2-Step Verification.
2-Step Verification adds an extra layer of security to your users' managed Google accounts by requiring them to enter a verification code in addition to their username and password when signing in to their account.
Why should I enable 2-Step Verification for my domain?
2-Step Verification helps protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone, or via an encrypted signature contained on a security key.
2-Step Verification should always be enabled and enforced for all Super Administrator, VIP, sensitive access accounts, and all user accounts.
- To use 2-Step Verification you need to have a phone to approve sign-in attempts. You can use an Android or iPhone with a data connection to receive phone prompts or the Authenticator app to generate verification codes while off-line. You may also choose to receive verification codes via text message or phone call. After 2-SV is enabled, users can also use Security Keys or print backup codes.
- Note: If SAML single sign-on (SSO) is enabled for your domain Google's 2-Step Verification will not apply when logging on through your SSO. Super Administrators, however, can login via both Google and SSO IdP. If the login goes through Google and 2-Step Verification is configured, the admin is prompted for the 2nd factor. If the login goes through SSO IdP, even if 2-Step Verification is configured, we don't prompt for the 2nd factor. See Partner-operated SAML Single Sign-On (SSO) Service for G Suite for additional details on using SSO for your domain.
Note: If you're an API developer, read API Developers before enrolling in 2-Step Verification.
How it works
- You enable 2-Step Verification for your domain in your Google Admin console. See Set up 2-Step Verification for your domain for how to enable 2-Step Verification for your account. We recommend that you notify your users of this new security process and include instructions on how to get started.
Note: Although users must opt-in to 2-Step Verification themselves, you may require them to do so. Do not make this change until all users have opted in, or they will be locked out of their managed Google account (for example, G Suite or Cloud Identity). See the Enforcement article for instructions.
- The user enrolls in 2-Step Verification and selects the method for receiving their verification code on their mobile phone: Google prompt, the Authenticator app, text message or phone call, Security Key or printable backup codes. How quickly they get their prompt, code via text message or phone call depends on their data connection, service provider and/or location. We recommend users with smartphones to use Google prompt while online or the Authenticator app while without a network connection. Point your users to About 2-Step Verification for step by step instructions.
- The next time the user signs in to their managed Google account on a new browser or device, they enter their username and password as usual. They're then prompted with a second page to enter a verification code. When your user checks Remember verification for this computer, they're only prompted to enter a verification code once every 30 days per browser or after deleting their browser's cookies. Your users should not check this if they're at a public or shared computer.
- Depending on how they opted to receive their code, the user gets their time-based, one-time code from the Google Authenticator app on their smartphone or via text message or phone call. They then enter the code to successfully sign in.
If a user loses their phone, they can use backup codes to sign in. See Sign in using backup codes.
Signing in to mobile devices with app passwords
Once your users enroll in 2-Step Verification, they may need to use app passwords in addition to their verification codes. For installed applications that don't have a 2-Step Verification field, your users will need to enter an app password once per device or application in place of their regular password to access their Google Account.
Common devices and applications that require app passwords are: Gmail and Google Calendar on Android-based phones, ActiveSync for Windows Mobile and iPhone, and IMAP clients such as Thunderbird. See Sign in to mobile or desktop apps for more details.
Remember that good security practices are critical to the integrity of your user's Google Account. Learn more at Keeping your account secure.
Note: The G Suite Service Level Agreement does not apply to any services used in connection with 2-Step Verification if the verification process relies on third-party voice or data providers to deliver the verification code.
Note: When you disable 2-Step Verification for a user their registered security keys are revoked.
Note: We suggest that users with personal account information on their security keys should revoke access to that information before returning their security key.