Set up 2-Step Verification

Set up 2-Step Verification for your domain

Enable 2-Step Verification for your domain

  1. Sign in to the Google Admin console.
  2. Click Security > Basic settings.
    Where is it?
  3. Under 2-Step Verification, check Allow users to turn on 2-factor authentication.

This makes 2-Step Verification available for your users, but does not automatically enroll them. To enroll, users need to configure their verification settings individually. See Set up 2-Step Verification.

Account recovery recommendations for administrators

Here are recommendations to make administrator use of 2-Step Verification more reliable and secure:

  • Avoid using secondary email addresses that do not support 2-Step Verification themselves. If those accounts become compromised, so can your Google Apps administrator account.  
  • Organizations with multiple administrators should use each other's help for account recovery rather than a secondary email address.
  • Organizations with a single administrator should print out backup codes to speed account recovery and avoid the use of insecure secondary email addresses.  
  • Administrators who want more control over how codes are received are encouraged to use our smartphone app with up-to-date software, and printed backup codes.

Tips for deploying to users

And to help users make a smooth transition to using their new sign-in process, we recommend that you deploy this security feature as follows:

  1. Notify your users of this new security process and include instructions on how to get started. See a sample email notification.
  2. Point your Help Desk or Support staff to the Troubleshooting 2-Step Verification information to help them get up to speed.
  3. Consider running a pilot program targeting users with smartphones. You can set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-Step Verification for your users and enters application-specific passwords where needed in their mobile devices and desktop applications.
  4. Once all users have enrolled in 2-Step Verification, you may enforce its use following the instructions in Manage your users' security settings.

Disable 2-Step Verification for your domain

Uncheck Allow users to turn on two-factor authentication to prevent new enrollments or modification of existing enrollments. Users who have already enrolled would continue to be asked for 2 factor code.

Unenroll individual users

  1. In your Admin console, go to the Users page.
  2. Click an individual user.
  3. Unenroll the user by clicking Show more > Security.

This change takes effect immediately. The user also receives an automated email from Google explaining that they are no longer enrolled.