Set up 2-Step Verification

Set up 2-Step Verification for your domain

Enable 2-Step Verification for your domain

  1. Sign in to the Google Admin console.
  2. Click Security > Basic settings.
    Where is it?
  3. Under 2-Step Verification, check Allow users to turn on 2-factor authentication.

This makes 2-Step Verification available for your users, but does not automatically enroll them. To enroll, users need to configure their verification settings individually. See Set up 2-Step Verification.

Once all users have enrolled in 2-Step Verification, you may enforce its use following the instructions in Manage your users' security settings.

Account recovery recommendations for administrators

Here are recommendations to make administrator use of 2-Step Verification more reliable and secure:

  • Avoid using secondary email addresses that do not support 2-Step Verification themselves. If those accounts become compromised, so can your Google Apps administrator account.  
  • Organizations with multiple administrators should use each other's help for account recovery rather than a secondary email address.
  • Organizations with a single administrator should print out backup codes to speed account recovery and avoid the use of insecure secondary email addresses.  
  • Administrators who want more control over how codes are received are encouraged to use our smartphone app with up-to-date software, and printed backup codes.

Tips for deploying to users

And to help users make a smooth transition to using their new sign-in process, we recommend that you deploy this security feature as follows:

  1. Notify your users of this new security process and include instructions on how to get started. See a sample email notification.
  2. Point your Help Desk or Support staff to the Troubleshooting 2-Step Verification information to help them get up to speed.
  3. Consider running a pilot program targeting users with smartphones. You can set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-Step Verification for your users and enters application-specific passwords where needed in their mobile devices and desktop applications.

Provide a lead time for users to enroll in 2-Step Verification before enforcement

Once you have enabled User enrollment to 2-step verification, you'll need all your users to enroll before you activate enforcement. You can give your users a monitored amount of time to enroll.

Note: Users must opt-in to 2-Step Verification themselves. Do not enforce 2-Step Verification until all users have enrolled, or they will be locked out of Google Apps.

Once you have enabled Turn on enforcement from date, your users will see an interstitial page each time they login and will also receive reminder emails until they enroll. These emails are sent once a week and then daily for the last five days before the ending date.

  1. Sign in to the Google Admin console.
  2. Click Security > Basic settings.
    Where is it?
  3. Select the Go to advanced settings to enforce 2-step verification > > link.
  4. The Security > Advanced security settings opens.
  5. Under Enforcement, check Turn on enforcement from date.
  6. Click on the date field to open the calendar.
  7. Use the calendar controls or enter a date by hand to specify an ending date when all users will have deployed 2-Step Verification. We recommend that this date be two to four weeks in the future.

Disable 2-Step Verification for your domain

Uncheck Allow users to turn on two-factor authentication to prevent new enrollments or modification of existing enrollments. Users who have already enrolled would continue to be asked for 2 factor code.

Unenroll individual users

  1. In your Admin console, go to the Users page.
  2. Click an individual user.
  3. Unenroll the user by clicking Show more > Security.

This change takes effect immediately. The user also receives an automated email from Google explaining that they are no longer enrolled.

Was this article helpful?