Set up 2-Step Verification

Protect your business with 2-Step Verification

These articles are for Google Workspace administrators. Google Workspace users should go to Turn on 2-Step Verification

You can use 2-Step Verification (2SV) to put an extra barrier between your business and cybercriminals who try to steal usernames and passwords to access business data.

Important: Google is enforcing 2SV for administrator accounts. For details, go to About 2SV enforcement for admins.

What is 2SV?

With 2SV, your users sign in to their account in two steps with something they know (their password) and something they have (their phone or a  Security Key). Learn how it works.

Secure your Google Workspace user accounts

Do small businesses need 2SV?

Cybercriminals target businesses of all sizes. If a hacker gets into your administrator account, they can see your email, documents, spreadsheets, financial records, and more.

A hacker could steal or guess a password, but they can’t reproduce something only you have.

2SV methods

When you set up 2SV, you choose the second verification step for your users.

Expand all  |  Collapse all & go to top

Security keys
Security keys are the most secure form of 2SV and protect against phishing threats. There are 2 types of security keys:

When a user signs in to their Google Account, their device detects that the account has a security key. For the second verification step, the user signs in with their security key. Users connect their security key to their device by USB, Bluetooth, or NFC (Near Field Communication), depending on the type of key. Learn more about security keys.

Google prompt
Users can set up their Android or Apple mobile devices to receive a sign-in prompt. When they sign in to their Google Account on their computer, they get a "Trying to sign in?" prompt on their mobile device. They simply confirm by tapping their mobile device. Signing in this way adds the security of 2SV and is quicker than entering a verification code. Learn more about phone prompts.
Google Authenticator and other verification code generators
Users generate one-time verification codes on a hardware token (small hardware device) or an app on their mobile device, such as Google Authenticator. The user enters the code to sign in to their computer and other devices, including the mobile device itself. Google Authenticator and other apps don't need an internet connection to generate codes.
2SV supports software and hardware tokens that use the TOTP (Time-based One Time Password) standard.
Backup codes
If a user doesn't have their mobile device or works in an area where they can't carry mobile devices, they can use backup codes for 2SV. Users can generate backup verification codes and print them ahead of time.
Text message or phone call
Google sends a 2SV code to mobile devices in a text message or voice call.

Note: 2SV using local phone numbers is not currently supported for some domains in Nigeria and Ivory Coast, due to large volumes of account abuse in those countries. For information on whether your domain is eligible, please contact Support.

Passkeys
If an admin has enabled skip password on a user's account, they can skip password sign-in challenges and instead use a passkey that incorporates first and second-factor authentication. With passkeys, users can sign in to their managed Google Account using their phone, a security key, or their computer’s screen lock. For details, go to Sign in with a passkey instead of a password.

Best practices for 2SV

Enforce 2SV for administrators and key users
You can make 2SV optional or required for your users. We recommend enforcing 2SV for your administrator account and users who work with your most important business information.
  • The administrator account is the most powerful account because it can delete users, reset passwords, and access all your data.
  • Users who work with sensitive data such as financial records and employee information should also use 2SV.
  • 2SV is the first line of defense that can cut account takeover by as much as 50%.
Consider using security keys in your business
Because security keys are the strongest 2SV method, consider using them in your business.
  • Security keys—The strongest 2SV method, and they don’t require users to enter codes.
  • Alternatives to security keys—If you decide not to use security keys, Google prompt or the Google Authenticator app are good alternatives. Google prompt provides a better user experience because users simply tap their device when prompted instead of entering a verification code.
  • Text messages are discouraged—They rely on external carrier networks and might be intercepted.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
9600054387449269794
true
Search Help Center
true
true
true
true
true
73010
false
false
false
false