Manage user security settings

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

As an administrator for your organization's G Suite or Cloud Identity service, you can view and manage security settings for a user. For example, you can reset a user's password, add or remove security keys for multi-factor authentication, and reset user sign-in cookies.

Open user security settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Users.
  3. In the Users list, find the user.

    Tip: To find a user, you can also type the user's name or email address in the search box at the top of your Admin console. If you need help, see Find a user account.

  4. Click the user’s name to open their account page.
  5. Click Security


    Find the security section close to the top of the details

  6. View or manage the user's security settings by following the steps below.

View and manage user security settings

Reset a user's password
  1. Click Password and then Reset Password.
  2. Choose to automatically generate the password or enter a password.

    By default, password minimum length is 8 characters. You can change password requirements for your organization.

  3. (Optional) To view the password, click Preview Preview .
  4. (Optional) To require the user to change the password, ensure that Ask for a password change at the next sign-in is On On.
  5. Click Reset.
  6. (Optional) To paste the password somewhere, such as in a Hangouts Chat conversation with the user, click Click to copy password.
  7. Choose to email the password to the user, or click Done.
View, add, or remove security keys

A security key is a small device that lets you sign in to a Google Account using 2-Step Verification. Of all the 2SV methods supported by Google, a security key is the most secure. It plugs into your computer's USB port or connects to your mobile device using NFC or Bluetooth®Learn more

If a security key is in use for this user, click the Security keys section to see when the key was added and last used.

Add a key

You can add a security key for a user, or they can add their own keys.

  • Users can add their own keys by following the instructions in Add a security key to your Google Account.
  • To add a key for the user:
    1. Click in Security keys to display the add button.
    2. Click Add Security Key.
    3. Follow the on-screen instructions.

      Note: if you have a security key plugged in to your computer, remove your key before registering a new key for a user.

    4. Click Done.

Remove a key

Remove a security key only when the key is lost. If a key is temporarily unavailable, you can generate backup security codes as a temporary workaround. See Get backup verification codes for a user below.

  1. Click in Security keys to display the key information table.
  2. Scroll the table all the way to the right.
  3. Hover over the table line for the key you want to remove to display the Remove at right.
  4. Click Remove and then Remove.
  5. Click Done.

    The Admin audit log adds an entry each time you revoke a security key.

Note: You can require users to use security keys with 2-Step Verification.

Check 2-Step Verification settings

Only the user can turn on 2-Step Verification. As admin, you can check a user’s current 2-step verification setting and if necessary get a backup code for a locked-out user.

The 2-step verification section shows whether 2SV is turned on for the user, and whether 2SV is currently enforced across your organization.

  • You have the option of turning off 2SV for a locked-out user, but this isn’t recommended. Instead, get a backup code for the user to allow them to sign in to their account.
  • If 2SV is enforced across your organization, the option to turn off 2SV for an individual user is disabled.
Get backup verification codes for a user

Users who temporarily can’t access their second authentication method may get locked out. For example, a user may have left their security key at home, or can’t receive an access code by phone. For these users, you can generate backup verification codes to allow them to sign in.

  1. To view the user's backup verification codes, click 2-Step Verification and then Get backup verification codes.
  2. Copy one of the existing backup codes or generate new codes. Note: select Get new codes If you think the existing backup codes were stolen or have been used up. The old set of backup codes automatically become inactive.
  3. Tell your user to follow the instructions in Sign in using backup codes.

If the user is required to use a security key for 2-step verification, you'll see the grace period that's left before they need to use their security key to sign in.

Force a password change

If you suspect that the user's password has been stolen, you can force the user to reset their password when they next sign in.

  1. Click Require password change and then Turn on Off.
  2. Click Done.

After the user resets their password, this setting is automatically set to Off.

Temporarily turn off a login challenge

If Google suspects an unauthorized attempt to sign in to a user's account, a login challenge appears before access to the account is granted. The user must enter a verification code that Google sends to their phone. Or, the user can choose to answer another challenge that only the account owner can solve.

If the authorized user can't verify their identity, you can briefly turn off the login challenge to allow the user to sign in:

  1. Click Login Challenge and then Turn off for 10 mins.
  2. Click Done.
Reset the user's sign-in cookies

If a user loses their computer or mobile device, you can help prevent unauthorized access to their Google Account by resetting their sign-in cookies. This signs the user out of their Google Account (including any G Suite applications) across all devices and browsers.

Note: If you suspended a user, you don't need to do this. Suspending a user resets their sign-in cookies.

If you have set up single sign-on (SSO) using a third-party identity provider (IdP), the user's SSO session may still allow access to their Google Account after resetting their sign-in cookies. In this case, terminate their SSO session before resetting their Google sign-in cookies. For help with SSO management, contact your IdP support team.

To reset the user's cookies:

  1. Click Sign-in cookies and then Reset
  2. Click Done.

It can take up to an hour to sign the user out of current Gmail sessions. The time for other applications can vary.

View and revoke application-specific passwords

If your users use use 2-step verification and need to sign in to apps or devices that don’t accept verification codes, they need application-specific passwords to access those apps. Learn more.

Any apps for which the user has created app passwords are listed in the Application-specific password section. Note: If no app passwords are in use, this section is inactive.

Click an app name to see information on when the password for that app was created, and when it was last used.

You should revoke an app password if a user loses a device or stops using an app that was authorized with that password.

  1. Click in the Application-specific password section to view apps using app passwords.
  2. Mouse over an app name and click Remove at right.
  3. Click Revoke.
  4. Click Done.

Your users can also revoke their own app passwords.

View and remove access to third-party applications

The Connected applications section lists all the third-party applications (for example, G Suite Marketplace apps) that have access to this user’s Google Account data. Learn how authorized access works. 

Note: If no third-party applications have been installed, this section is inactive.

Click an application name to see more information:

  • The Access level column shows the user data that the application can access. A user can grant full or partial access to Google data.
  • The Authorization date column shows when the application was granted data access.

To temporarily remove an app’s access to data:

  1. Mouse over an app name and click Revoke at right.
  2. Click Remove.
  3. Click Done.

Note: Removing data access for an app doesn't prevent a user from using the app in the future (if the user has the necessary permissions). Once a user signs into the app again, data access is restored. To permanently restrict user access to applications, you can block access to specific application scopes, and set up a whitelist of approved apps for your organization.

Was this helpful?
How can we improve it?