Verify a user’s identity with a login challenge
When Google suspects that an unauthorized person is trying to break in to a user's account, we present them with a login challenge asking them to verify their identity. This challenge is designed to prevent unwanted entry in to the account, even if the person has obtained the account username and password.
For example, when Google suspects a suspicious login, we text or call the user's recovery phone or email their recovery account with a verification code, asking the user to enter this code before it grants entry to their account. As an administrator, you can also choose to use the employee IDs of your users as an additional login challenge that you can turn on or off.
These techniques significantly reduce the chances of an unauthorized person breaking in to the account, because they would have to acquire the user's phone, recovery email address or employee ID, plus the account username and password.
Before Google can verify a user's identity with their employee ID, recovery phone, or recovery email account, it needs them to provide those details. The first time a user signs in, they see an interstitial page asking to verify their recovery phone number or recovery email account. Until they verify them, the interstitial page is presented periodically and they’re challenged at every login. After they verify them, they’ll only be challenged when there’s a suspicious login.
Login challenges FAQ
Login challengesWhat do login challenges look like?
The user sees this screen when Google asks them to verify their identity using their employee ID number:
The user sees this screen when Google asks them to verify their identity through text or phone:
The user sees this screen when Google asks them to verify their identity through their recovery email:
The user sees this screen when Google asks them to verify their identity through their usual sign-in location:
A user is presented with the login challenge when a suspicious login is detected, such as the user not following the sign-in patterns that they've shown in the past.
Important: Google decides which challenge is appropriate to present to a user based on multiple security factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.
Why should I use a user's employee ID as a login challenge
2-Step Verification is a login challenge. So when your users have it on, they won't get another login challenge or the interstitial page shown above.
For the same reason, Admin Reports displays each 2-Step Verification as a login challenge.
Currently, the login challenge isn't enabled for organizations with SSO. Users in organizations with SSO won't be prompted with the interstitial that asks them to verify their recovery phone number or recovery email address.
All G Suite editions include this feature.
K–12 education users might be asked to enter their usual login location when a suspicious login is detected. If the user is unable to verify by sign-in location, administrators can temporarily disable the login challenge Learn more below about the criteria Google uses to identify suspicious login activity.
We determine whether a login is suspicious when our risk analysis system identifies a login as outside the normal pattern of user behavior. For example, this might include a user logging in from an unusual location or in a manner associated with abuse.
Interstitial pageWhat does the interstitial page look like?
The user sees this screen when Google asks them to verify their phone number:
The user sees this screen when Google asks them to verify their email address:
Yes, users can skip the interstitial page. They can skip it an unlimited number of times.
Phone verificationIf users in my organizations don’t have a corporate phone, is there another way to verify their accounts?
Yes, there are different challenges. Users can select a different verification method, such as entering their employee ID or their recovery email account instead of phone or text verification.
The user can update the recovery information through the account settings.
If the user doesn’t enter their recovery phone number, other challenges apply such as entering their recovery email account or their usual login location.
Disabling the challengeIf the user can't verify their identity, can I disable the login challenge?
In some situations, an authorized user can’t verify their identity. For example, they might not have a phone signal and can’t get the verification code. Or, they can’t remember or find their employee ID.
If this happens, as an administrator you can temporarily turn off the login challenge to allow them to sign in:
- Sign in to the Google Admin console.
- Find the user account.
- Click the row for the user account to display the user information page.
- Click Security.
- Click Login challenge.
- Click Turn Off For 10 Minutes.
The login challenges will be off for 10 minutes to allow the user to sign in.
You can also change the user's password to grant access to a session that is locked because the user can’t verify their identity.
No, you can’t turn off this feature for your entire organization. You can only turn it off temporarily on a per-user basis.
No, only an administrator can turn the login challenges off temporarily.
Verifying administrator identityHow can an administrator who can’t verify their identity re-enter their account?
As an administrator, you can bypass the challenge and regain access to your account by resetting your password. At the bottom of the Login Challenge screen, click the Click here to reset your password instead link.
If a super administrator user can't verify their identity, then another super administrator (if available) can temporarily turn off the login challenge for them, as described in the steps above.
Alternatively, the super administrator can bypass the login challenge by resetting their password. At the bottom of the Login Challenge screen, click the Click here to reset your password instead link.
Note: The automated password reset option isn't available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.