Set up 2-Step Verification

Enforcement

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature.  2-Step Verification screenshot

 

Before enforcing 2-Step Verification, make sure all of your users and administrators are enrolled in 2-Step Verification. You can place users not yet enrolled in 2-Step Verification into exception groups so they will not be locked out of their Google accounts when you enable 2-Step Verification enforcement. 

After you've enabled 2-Step Verification enforcement, when you create new user accounts, you will need to place these new users into an exception group so they can access their account and enroll in 2-Step Verification. 

You can also specify an enrollment period during which newly created users can sign in with just their passwords. This allows them time to enroll by completing their 2-Step Verification setup.

Make 2-Step Verification mandatory

If you require 2-Step Verification of all users in the domain or within an existing organizational unit (OU), you can skip this step. If you need to have a different 2-Step Verification setting for a select group of users within an organization, create an admin-managed group containing all such users. See Use exception groups for detailed instructions on creating custom groups.

  1. On the Home page, click Reports, then select Security. Confirm that all users to be forced into 2-Step Verification are already enrolled in it, indicated by "Enrolled" in the 2-Step Verification Enrollment column.
  2. On the Home page, click Security > Basic settings > Enforce 2-Step Verification on users
  3. Select the organization where you wish to make 2-Step Verification mandatory. Then select Turn on enforcement. 2-Step Verification will become mandatory within 24 to 48 hours after turning on enforcement. 
  4. From the New user enrollment period list of items, select the period of time period new users can sign in with just their passwords before enforcing 2-Step Verification.
  5. To have a suborganization inherit the 2-Step Verification setting from its parent organization, click the Use inherited button that appears near the right margin when you hover over the Authentication pane.
  6. If you would like to exempt a group of users, select the group name (created in step 1) on the right-hand side keeping the organization selected on the left-hand side of the page and select Turn off enforcement. This will apply 2-Step Verification to all users in the selected organization except the users in the exception group.
  7. Save your changes.

    All users of the selected organization are now required to enter a secondary code from their mobile device.

Enforcing 2-Step Verification ​using security keys

As an administrator, you can choose to allow only security keys as the only 2-Step Verification factor for enhanced security. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Advanced security settings.
    In the Authentication section, under Select allowed 2-Step Verification methods, two new settings appear:
  4. Choose which second factors are enabled for the domain:
    All options
    Security key only
  5. Save your changes.

Enforcing 2-Step Verification on every sign-in​

As an administrator, you can require users to enter 2-Step Verification (2SV) on every web browser-based sign-in to their account.​ Your users must have enrolled in 2SV and enforcement must be turned on.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. In the 2-step verification section, click the Go to advanced settings to enforce 2-step verification link.
  4. Under Authentication in the 2-step verification frequency section, select Do not allow the user to trust the device at 2-step verification.
  5. Click Save

If you select Allow the user to trust the device at 2-step verification, the first time a user signs in from a new device, they can check a box to trust their device and skip entering 2SV on that device again.

Note: Different browsers on the same computer are treated as different devices. If someone disables the browser cookies, the user’s Remember setting has no effect.

If a user mistakenly trusts a device at sign-in, they can follow the instructions to remove the device from their Trusted Devices list.

Was this article helpful?
How can we improve it?