Set up 2-Step Verification
Set up 2-Step Verification for your domain
Enable 2-Step Verification for your domain
- Click Security > Basic settings.
Where is it?
- Under 2-Step Verification, check Allow users to turn on 2-step verification.
This makes 2-Step Verification available for your users, but does not automatically enroll them. To enroll, users need to configure their verification settings individually. See Turn on 2-Step Verification.
Once all users have enrolled in 2-Step Verification, you can enforce its use following the instructions in Enforcement.
Account recovery recommendations for administrators
Here are recommendations to make administrator use of 2-Step Verification more reliable and secure:
- Avoid using secondary email addresses that do not support 2-Step Verification themselves. If those accounts become compromised, so can your Google administrator account.
- Organizations with multiple administrators should use each other's help for account recovery rather than a secondary email address.
- Organizations with a single administrator should print out backup codes to speed account recovery and avoid the use of insecure secondary email addresses.
- Administrators who want more control over how codes are received are encouraged to use our smartphone app with up-to-date software, and printed backup codes.
Tips for deploying to users
- Your users can't enroll in 2-Step Verification by going to https://www.google.com/accounts/SmsAuthConfig. Instead, instruct your users to follow these steps to get to their 2-Step enrollment page.
- The URL https://www.google.com/accounts/IssuedAuthSubTokens doesn't take your users to the Authorized Access to your Google Account page. Instead, instruct your users to follow these steps to generate an App Password for their mobile device.
And to help users make a smooth transition to using their new sign-in process, we recommend that you deploy this security feature as follows:
- Notify your users of this new security process and include instructions on how to get started. See a sample email notification.
- Point your Help Desk or Support staff to the Troubleshooting 2-Step Verification information to help them get up to speed.
- Consider running a pilot program targeting users with smartphones. You can set up a deployment day where your users take their phones and laptops to your Help Desk. We recommend that your IT staff sets up 2-Step Verification for your users and enters App Passwords where needed in their mobile devices and desktop applications.
Provide a lead time for users to enroll in 2-Step Verification before enforcement
Once you've enabled User enrollment to 2-step verification, you need all your users to enroll before you activate enforcement. You can give your users a monitored amount of time to enroll. On the ending date, users who haven't yet enrolled are locked out of their accounts.
- Click Security > Basic settings.
Where is it?
- Select the Go to advanced settings to enforce 2-step verification > > link.
- The Security > Advanced security settings opens.
- Under Enforcement, check Turn on enforcement from date.
- Click on the date field to open the calendar.
- Use the calendar controls or enter a date by hand to specify an ending date when all users will have deployed 2-Step Verification. We recommend that this date be two to four weeks in the future.
Once you've enabled Turn on enforcement from date, your users see an interstitial page each time they log in, asking them to enroll.
They also receive reminder emails until they enroll. These emails are sent once a week and then daily for the last 5 days before the ending date.
Disable 2-Step Verification for your domain
Uncheck Allow users to turn on 2-step verification to prevent new enrollments or modification of existing enrollments. Users who have already enrolled would continue to be asked for a 2-Step Verification code.
Note: If you as administrator have 2-step verification enabled or enforced, you can't disable this setting by unchecking Allow users to turn on 2-step verification. This prevents accidental lockout from your domain.
Unenroll individual users
- From the Admin console Home page, go to Users.
- In the Users list, find the user. If you need help, see Find a user account.
- Click the user’s name to open their account page.
- Click Security.
- Click 2-step verification, and then click the On/Off slider.
- Click Done.
- (Optional) To return to the user’s account page, at the top right, click the Up arrow .
This change takes effect immediately. The user also receives an automated email from Google explaining that they are no longer enrolled.