Set up 2-Step Verification
Set up 2-Step Verification for your domain
Enable 2-Step Verification for your domain
- Sign in to the Google Admin console.
- Click Security > Basic settings.
Where is it?
- Under 2-Step Verification, check Allow users to turn on 2-factor authentication.
This makes 2-Step Verification available for your users, but does not automatically enroll them. To enroll, users need to configure their verification settings individually. See Set up 2-Step Verification.
Account recovery recommendations for administrators
Here are recommendations to make administrator use of 2-Step Verification more reliable and secure:
- Avoid using secondary email addresses that do not support 2-Step Verification themselves. If those accounts become compromised, so can your Google Apps administrator account.
- Organizations with multiple administrators should use each other's help for account recovery rather than a secondary email address.
- Organizations with a single administrator should print out backup codes to speed account recovery and avoid the use of insecure secondary email addresses.
- Administrators who want more control over how codes are received are encouraged to use our smartphone app with up-to-date software, and printed backup codes.
Tips for deploying to users
- Your users won't be able to enroll in 2-Step Verification by going to https://www.google.com/accounts/SmsAuthConfig. Instead, instruct your users to follow these steps to get to their 2-Step enrollment page.
- The URL https://www.google.com/accounts/IssuedAuthSubTokens won't take your users to the Authorized Access to your Google Account page. Instead, instruct your users to follow these steps to generate an application-specific password for their mobile device.
And to help users make a smooth transition to using their new sign-in process, we recommend that you deploy this security feature as follows:
- Notify your users of this new security process and include instructions on how to get started. See a sample email notification.
- Point your Help Desk or Support staff to the Troubleshooting 2-Step Verification information to help them get up to speed.
- Consider running a pilot program targeting users with smartphones. You can set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-Step Verification for your users and enters application-specific passwords where needed in their mobile devices and desktop applications.
- Once all users have enrolled in 2-Step Verification, you may enforce its use following the instructions in Manage your users' security settings.
Disable 2-Step Verification for your domain
Uncheck Allow users to turn on two-factor authentication to prevent new enrollments or modification of existing enrollments. Users who have already enrolled would continue to be asked for 2 factor code.
Unenroll individual users
- In your Admin console, go to the Users page.
- Click an individual user.
- Unenroll the user by clicking Show more > Security.
This change takes effect immediately. The user also receives an automated email from Google explaining that they are no longer enrolled.