Set up 2-Step Verification
After you've enabled 2-Step Verification enforcement, when you create new user accounts, you will need to place these new users into an exception group so they can access their account and enroll in 2-Step Verification.
You can also specify an enrollment period during which newly created users can sign in with just their passwords. This allows them time to enroll by completing their 2-Step Verification setup.
Follow the instructions here to make 2-Step Verification mandatory:
- If you will require 2-Step Verification of all users in the domain or within an existing organizational unit (OU), you may skip this step. If you need to have a different 2-Step Verification setting for a select group of users within an organization, create an admin-managed group containing all such users. See Use exception groups for detailed instructions on creating custom groups.
- On the dashboard, click Reports, then select Security. Confirm that all users to be forced into 2-Step Verification are already enrolled in it, indicated by "Enrolled" in the 2-Step Verification Enrollment column.
- On the dashboard, click Security > Basic settings > Enforce 2-Step Verification on users.
- Select the organization where you wish to make 2-Step Verification mandatory. Then select Turn on enforcement. 2-Step Verification will become mandatory within 24 to 48 hours after turning on enforcement.
- From the New user enrollment period list of items, select the period of time period new users can sign in with just their passwords before enforcing 2-Step Verification.
- To have a suborganization inherit the 2-Step Verification setting from its parent organization, click the Use inherited button that appears near the right margin when you hover over the Authentication pane.
- If you would like to exempt a group of users, select the group name (created in step 1) on the right-hand side keeping the organization selected on the left-hand side of the page and select Turn off enforcement. This will apply 2-Step Verification to all users in the selected organization except the users in the exception group.
- Save your changes.
All users of the selected organization are now required to enter a secondary code from their mobile device.
Enforcing 2-Step Verification using security keys
As an administrator, you can choose to allow only security keys as the only 2-Step Verification factor for enhanced security.
- From the Admin console dashboard, go to Security > Basic settings.
To see Security on the dashboard, you might have to click More controls at the bottom.
- Click Advanced security settings.
In the Authentication section, under Select allowed 2-Step Verification methods, two new settings appear:
- Choose which second factors are enabled for the domain:
Security key only
- Save your changes.
Note: The Security Key Enforcement feature is available only with G Suite Enterprise .