View user security settings and revoke access
If you have the legacy free edition of Google Apps, upgrade to G Suite to get this feature.
As an administrator, you can view and manage the security settings for a particular user in the Google Admin console. You can also revoke access to third-party services and security keys if needed. In particular, you can:
- Determine if 2-step verification is in use.
- Examine a user's password strength.
- View and revoke security key access to Google accounts.
- View and revoke App Passwords.
- View and revoke authorized access to Google account information.
- Temporarily disable a Login Challenge.
To access a user's security settings:
- Click Users.
- You can now view real time status of 2-step verification enrollment by accessing the user list section. If you don't see a column labeled 2-step verification enrollment, click More and choose Select columns.
- In the submenu select the column labeled 2-step verification enrollment and then click Apply.
The listing on the Users page now shows whether or not each user is enrolled in 2-Step Verification.
- Click the user whose security settings you want to access.
- Click Security. You may need to click Show more to see the Security section.
Determine if the user has enabled 2-step verification at the top. You can disable 2-Step Verification by clicking Turn off 2-step verification.
If 2-Step Verification is enabled, the user's backup verification codes are also available and can be displayed by clicking Show backup verification codes. See Sign in using backup codes to help users with these codes. If the user is required to use only a security key and is using backup verification codes, the duration of the grace period is displayed here. They'll only be able to use their backup verification codes until this grace period expires. After that they have to use their security key to sign in.
In this section, you can verify the user's password strength. See Set password strength and user password recovery for instructions on changing password requirements.
A security key is a small physical device used for signing in that plugs into your computer's USB port or connects to your mobile device using Bluetooth (learn more).
View the security keys enrolled by the user. See Add a Security Key to your Google Account to help users with these keys.
Add a security key for the user by clicking Add new key. Users you enroll this way don't need to register their phone numbers to register their security key.
Order a discounted security key by logging in using your Google account.
If you unenroll a security key, the user will not be able to use it for 2-Factor Authentication. To unenroll a key, click Revoke and then click OK. The Admin console audit log adds an entry each time you revoke a security key.
Requiring security key use
From the Admin console dashboard, go to SecurityBasic settings.
To see Security on the dashboard, you might have to click More controls at the bottom.
- Click Advanced settings.
In the Authentication section, under Select allowed 2-step verification methods, three new settings appear:
- Choose the length of the new user enrollment period for the domain.
When you enforce second factors on a domain your new users can be automatically put in an enrollment period from the date of their first sign-in. They'll be able to sign in without a second factor until this new user enrollment period expires. After the new user enrollment period expires they can use only their security key or other second factor to sign in.Choose the number of days you want to provide as the new user enrollment period. Your new users should enroll in 2-SV within this timeframe.
Values for the new user enrollment period:
None (no enrollment period)
The default is None (no enrollment period).
- Choose which second factors are enabled for the domain:
Security key only
- Choose the length of the 2-SV suspension grace period for the domain.
When backup verification codes are generated for security key-only users they are automatically put in a grace period for the amount of time you choose below. They'll only be able to use their backup verification codes until this grace period expires. After the grace period expires they can use only their security key to sign in.Values for the grace period:
The default is 1 day.
These users are told to enroll in 2-SV by an interstitial notice that includes the date the grace period expires.
If they haven't enrolled by then, they're locked out.
Note: If you enforce security keys on domains with Less secure apps enabled, you'll see this message:
For enhanced security, please disable Less secure apps before enforcing security keys.
What if users lose their security key?
When users lose access to their security keys, you'll need to confirm their identity, and then issue them a temporary backup verification code. This backup verification code allows them to sign into their account once in order to register a new security key. When backup verification codes are generated for security key-only users they are automatically put in a grace period of 1, 2, 5, or 7 days. They'll only be able to use their backup verification codes until this grace period expires. After the grace period expires they must use their security key to sign in.
What if I lose my security key?
To prevent being locked out of your account, we recommend the following best practices:
- Register more than one security key to your account, and store one in a safe place in case you lose access to your primary key.
- Enable more than one administrator on your domain. The second administrator can go to Users > User Details > Security > Show backup verification codes > Generate new codes and put you into a grace period during which backup codes are accepted. If you don't have a second administrator, contact G Suite Support (G Suite only).
Security Key Enforcement is only available to G Suite Enterprise and Cloud Identity users. Security Key Management is available to G Suite Business, G Suite Enterprise, and Cloud Identity users.
Here, you can see any App Passwords created by the user. See Sign in using App Passwords to help users set them up.
If you want to remove a password, click Revoke and then click OK.
In this section, you can see the third-party services that have access to the user's Google account. See How authorized access works to understand how this authorization is enabled.
The column for Service identifies what applications your users have granted access to their Google data. The Scope of access column specifies the user data that the service can access. A user can grant full access or access to specific Google data.
To remove access to a service, click Revoke > OK. You can only revoke service access after it's been granted. You can't preemptively block users from granting access to certain apps. See Remove App Passwords to help users remove their own passwords.
If Google detects that an unauthorized person is attempting to access a user's account, it presents them with a Login Challenge before granting access to the account. The user must verify their identity by entering a verification code that Google sent to their phone or by answering some other challenge that only the authorized user can resolve.
Click Disable Login Challenge if the authorized user can't verify their identity. The Login Challenge will be disabled for a period of 10 minutes to allow the user to sign in.