Search
Clear search
Close search
Google apps
Main menu

Google Apps is now G Suite. Same service, new name. More about the name change.

Verify a user’s identity with a Login Challenge

Login Challenge

When G Suite detects that an unauthorized person is attempting to access a user's account, it presents them with a Login Challenge that asks the person to verify their identity. This is designed to prevent unwanted access to the account, even if the person has obtained the account username and password.

For example, when G Suite detects a suspicious login it sends an SMS to the user's phone, calls the user's phone, or sends an email with a verification code to their secondary email account and asks the user to enter this code before it grants access to their account. This significantly reduces the chances of an unauthorized person accessing the account because they would have to acquire the user's phone or secondary email address as well as the  account username and password.

Before G Suite can verify a user's identity via their phone or secondary email account, it needs them to provide their phone number or secondary email account. The first time a user logs in they see an interstitial page asking to verify their phone number or secondary email account. Until they verify their phone number or secondary email account the interstitial page will be presented periodically and they'll be challenged at every login. After they have verified their phone number or secondary email account, they will ONLY be challenged when there is a suspicious login.

Login Challenge FAQ

Login Challenge  |  Interstitial page  |  Phone verification  |  Disabling the challenge  |  Administrators

Login Challenge

What does the Login Challenge look like?

The user sees this screen when G Suite asks them to verify their identity via SMS or phone:

Login Challenge

The user sees this screen when G Suite asks them to verify their identity via their recovery email:

The user sees this screen when G Suite asks them to verify their identity via their usual sign-in location:

Geo Login Challenge

When does a user receive the Login Challenge?

A user is presented with the Login Challenge when a suspicious login is detected, such as the user not following the sign in patterns that they've shown in the past.

We're using 2-Step Verification. Why do we need this?

Users who have 2-Step Verification enabled won't receive the Login Challenge or the interstitial page.

How does the Login Challenge work if I have SSO enabled?

The Login Challenge isn't enabled for SSO domains at this time. Users in SSO domains won't be prompted with the interstitial that asks them to verify their phone number or secondary email address.

Is this feature available for G Suite for Education, or just G Suite Basic and G Suite Business?

All editions benefit from this feature.

How does the Login Challenge work for K-12 EDU (Kindergarten - 12th grade) users?

K-12 EDU users may be asked to enter their usual login location when a suspicious login is detected. Administrators can temporarily disable the login challenge if the user is unable to verify by login location. Learn more below about the criteria Google uses to identify suspicious login activity.

What criteria are used by Google to determine if a login attempt is suspicious?

We determine whether a login is suspicious when our risk analysis system identifies a login as outside the normal pattern of user behavior. For example, a user logging in from an unusual location or in a manner associated with abuse.

Interstitial page

What does the interstitial page look like?

The user sees this screen when G Suite asks them to verify their phone number:

Login Challenge interstitial page

The user sees this screen when G Suite asks them to verify their email address:

Can users skip the interstitial page asking them to enter their phone number or secondary email account?

Yes, users can skip the interstitial page. They can skip it an unlimited number of times.

Phone verification

If users in my domain don’t have a corporate phone, is there another way to verify their accounts?

Yes, there are different challenges. Users can select a different verification method such as entering their usual login location or their secondary email account instead of phone or SMS verification.

How can a user update the phone number or secondary email account associated with their account?

Either the user or the administrator can update the phone number or their secondary email account via the account settings.

Can a user opt to verify criteria other than their phone number to challenge logins?

If the user doesn’t enter their phone number, other challenges apply such as entering their secondary email account or their usual login location.

Disabling the challenge

Can I disable the Login Challenge if the user can't verify their identity?

Sometimes there are situations where an authorized user cannot verify their identity. For example, they may not have a phone signal so they are unable to receive the verification code.

If this happens as an administrator you can temporarily disable the Login Challenge to enable them to sign in:

  1. Sign in to the Google Admin console
  2. Find the user account.
  3. Click the row for the user account to display the user information page.
  4. Click Security.
  5. Click Disable Login Challenge.

The Login Challenge will be disabled for a period of 10 minutes to allow the user to sign in.

You can also change the user's password to grant access to a session that is locked because the user cannot verify their identity.

Can I turn the Login Challenge off for my domain?

No, you cannot turn this feature off for your entire domain. You can only turn it off temporarily on a per-user basis.

Can the user turn this off themselves from their account settings?

No, only an administrator can turn the Login Challenge off temporarily.

Verifying administrator identity

How can an administrator who is unable to verify their identity regain access to their account?

As an administrator, you can bypass the challenge and regain access to your account by resetting your password. At the bottom of the Login Challenge screen, click the Click here to reset your password instead link.

What if a super administrator can't verify their identity?

If a super administrator user can't verify their identity, then another super administrator (if available) can temporarily disable the Login Challenge for them as described in the steps above.

Alternatively, the super administrator can bypass the Login Challenge by resetting their password. At the bottom of the Login Challenge screen click the Click here to reset your password instead link.

Note: The automated password reset option is not available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.