These articles are for Google Workspace administrators. Google Workspace users should go to Turn on 2-Step Verification.
2-Step Verification puts an extra barrier between your business and cybercriminals who try to steal usernames and passwords to access business data. Turning on 2-Step Verification is the single most important action you can take to protect your business.
What is 2-Step Verification?
With 2-Step Verification, your users sign in to their account in two steps with something they know (their password) and something they have (their phone or a Security Key). Learn how it works
Secure your Google Workspace user accounts
Do small businesses need 2-Step Verification?
Cybercriminals target businesses of all sizes. If a hacker gets into your administrator account, they can see your email, documents, spreadsheets, financial records, and more.
A hacker could steal or guess a password, but they can’t reproduce something only you have.
2-Step Verification methods
When you set up 2-Step Verification, you choose the second verification step for your users.
- A hardware security key or a Titan Security Key.
- Your phone's built-in security key (available on phones running Android 7+ or iOS 10+).
When a user signs in to their Google Account, their device detects that the account has a security key. For the second verification step, the user signs in with their security key. Users connect their security key to their device by USB, Bluetooth, or NFC (Near Field Communication), depending on the type of key. Learn more about security keys
Google sends a 2-Step Verification code to mobile devices in a text message or voice call.
Note: 2-step verification using local phone numbers is not currently supported for some domains in Nigeria and Ivory Coast, due to large volumes of account abuse in those countries. For information on whether your domain is eligible, please contact Support.
Best practices for 2-Step Verification
- The administrator account is the most powerful account because it can delete users, reset passwords, and access all your data.
- Users who work with sensitive data such as financial records and employee information should also use 2-Step Verification.
- Security keys—The strongest 2-Step Verification method, and they don’t require users to enter codes. You can buy compatible security keys from a retailer you trust, or Titan Security Keys from the Google Store. Or your users can use their phone's built-in security key (available on phones running Android 7+ or iOS 10+).
- Alternatives to security keys—If you decide not to use security keys, Google prompt or the Google Authenticator app are good alternatives. Google prompt provides a better user experience because users simply tap their device when prompted instead of entering a verification code.
- Text messages are discouraged—They rely on external carrier networks and might be intercepted.
- Turn on 2-Step Verification by following the instructions in Deploy 2-Step Verification.