Verify a user’s identity with a login challenge

Login Challenge

When Google suspects that an unauthorized person is trying to break in to a user's account, we present them with a login challenge asking them to verify their identity. This challenge is designed to prevent unwanted entry in to the account, even if the person has obtained the account username and password.

For example, when Google suspects a suspicious login, we text or call the user's recovery phone or email their recovery account with a verification code, asking the user to enter this code before it grants entry to their account. As an administrator, you can also choose to use the employee IDs of your users as an additional login challenge that you can turn on or off.

These techniques significantly reduce the chances of an unauthorized person breaking in to the account, because they would have to acquire the user's phone, recovery email address or employee ID, plus the account username and password.

Before Google can verify a user's identity with their employee ID, recovery phone, or recovery email account, it needs them to provide those details. The first time a user signs in, they see an interstitial page asking to verify their recovery phone number or recovery email account. Until they verify them, the interstitial page is presented periodically and they’re challenged at every login. After they verify them, they’ll only be challenged when there’s a suspicious login.

Login challenges FAQ

Login challenges  |  Interstitial page  |  Phone verification  |  Disabling the challenge  |  Administrators

Login challenges

What do login challenges look like?

The user sees this screen when Google asks them to verify their identity using their employee ID number:

The user sees this screen when Google asks them to verify their identity through text or phone:

Login Challenge

The user sees this screen when Google asks them to verify their identity through their recovery email:

The user sees this screen when Google asks them to verify their identity through their usual sign-in location:

Geo Login Challenge

When does a user see a login challenge?

A user is presented with the login challenge when a suspicious login is detected, such as the user not following the sign-in patterns that they've shown in the past. 

Important: Google decides which challenge is appropriate to present to a user based on multiple security factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.

Why should I use a user's employee ID as a login challenge

Choosing to turn on the employee ID login challenge will better protect your users from hijacking attempts. Employee IDs are more difficult to guess and phish than many types of identity challenges.
We're using 2-Step Verification. Why do we need login challenges?

2-Step Verification is a login challenge. So when your users have it on, they won't get another login challenge or the interstitial page shown above.

For the same reason, Admin Reports displays each 2-Step Verification as a login challenge.

How do login challenges work when I have SSO enabled?

Currently, the login challenge isn't enabled for organizations with SSO. Users in organizations with SSO won't be prompted with the interstitial that asks them to verify their recovery phone number or recovery email address.

Is this feature available in G Suite for Education?

All G Suite editions include this feature.

How do login challenges work for K–12 education users?

K–12 education users might be asked to enter their usual login location when a suspicious login is detected. If the user is unable to verify by sign-in location, administrators can temporarily disable the login challenge Learn more below about the criteria Google uses to identify suspicious login activity.

When does Google consider a login attempt suspicious?

We determine whether a login is suspicious when our risk analysis system identifies a login as outside the normal pattern of user behavior. For example, this might include a user logging in from an unusual location or in a manner associated with abuse.

Interstitial page

What does the interstitial page look like?

The user sees this screen when Google asks them to verify their phone number:

Account Recovery interstitial page

The user sees this screen when Google asks them to verify their email address:

Can users skip the interstitial page asking them to enter their recovery phone number or recovery email account?

Yes, users can skip the interstitial page. They can skip it an unlimited number of times.

Phone verification

If users in my organizations don’t have a corporate phone, is there another way to verify their accounts?

Yes, there are different challenges. Users can select a different verification method, such as entering their employee ID or their recovery email account instead of phone or text verification.

How can a user update the recovery phone number or recovery email account associated with their account?

The user can update the recovery information through the account settings.

Can a user opt to verify criteria other than their recovery phone number to challenge logins?

If the user doesn’t enter their recovery phone number, other challenges apply such as entering their recovery email account or their usual login location.

Disabling the challenge

If the user can't verify their identity, can I disable the login challenge?

In some situations, an authorized user can’t verify their identity. For example, they might not have a phone signal and can’t get the verification code. Or, they can’t remember or find their employee ID.

If this happens, as an administrator you can temporarily turn off the login challenge to allow them to sign in:

  1. Sign in to the Google Admin console
  2. Find the user account.
  3. Click the row for the user account to display the user information page.
  4. Click Security.
  5. Click Login challenge.
  6. Click Turn Off For 10 Minutes.

The login challenges will be off for 10 minutes to allow the user to sign in.

You can also change the user's password to grant access to a session that is locked because the user can’t verify their identity.

Can I turn the login challenges off for my organization?

No, you can’t turn off this feature for your entire organization. You can only turn it off temporarily on a per-user basis.

Can the user turn this off themselves from their account settings?

No, only an administrator can turn the login challenges off temporarily.

Verifying administrator identity

How can an administrator who can’t verify their identity re-enter their account?

As an administrator, you can bypass the challenge and regain access to your account by resetting your password. At the bottom of the Login Challenge screen, click the Click here to reset your password instead link.

What if a super administrator can't verify their identity?

If a super administrator user can't verify their identity, then another super administrator (if available) can temporarily turn off the login challenge for them, as described in the steps above.

Alternatively, the super administrator can bypass the login challenge by resetting their password. At the bottom of the Login Challenge screen, click the Click here to reset your password instead link.

Note: The automated password reset option isn't available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.

Was this article helpful?
How can we improve it?