Login Challenge for suspicious sign-ins

Login Challenge

If we detect that an unauthorized person is attempting to access a user's account, we will present them with a Login Challenge that asks the person to verify their identity. This is designed to prevent unwanted access to the account, even if the person has obtained the username and password.

For example, if we detect a suspicious login we might send an SMS with a verification code to the user's phone and ask them to enter this code before we grant access to their account. This drastically reduces the chances of an unauthorized person accessing the account because they would have to get a hold of the user's phone as well as the username and password.

Before we can verify a user's identity via their phone, we need them to tell us their phone number. The first time a user logs in they will see an interstitial page asking to verify their phone number. After they have verified their phone number, they will ONLY be challenged when there is a suspicious login.

Login Challenge FAQ

Login Challenge  |  Interstitial page  |  Phone verification  |  Disabling the challenge  |  Administrators

Login Challenge

What does the Login Challenge look like?

The user will see this screen if we ask them to verify their identity via SMS or phone:

Login Challenge

The user will see this screen if we ask them to verify their identity via their usual login location:

Geo Login Challenge

When will a user receive the Login Challenge?

A user will be presented with the Login Challenge if a suspicious login is detected, such as the user not following the sign in patterns that they have shown in the past.

We are using 2-step verification, why do we need this?

Users that have 2-step verification enabled will not receive the Login Challenge or the interstitial page.

How does the Login Challenge work if I have SSO enabled?

The Login Challenge is not enabled for SSO domains at this time, and users will not be prompted with the interstitial that asks them to verify their phone number.

Will this feature be available for Apps for Education and Government, or just Apps for Business?

All editions will benefit from this feature.

How does the Login Challenge work for K-12 EDU (Kindergarden - 12th grade) users?

K-12 EDU users may be asked to enter their usual login location when a suspicious login is detected. Administrators can temporarily disable the login challenge if the user is unable to verify by login location. Learn more below about the criteria Google uses to identify suspicious login activity.

What criteria are used by Google to determine if a login attempt is suspicious?

We determine whether a login is suspicious when our risk analysis system identifies a login as outside the normal pattern of user behavior. For example, a user logging in from an unusual location or in a manner associated with abuse.

Interstitial page

What does the interstitial page look like?

The user will see this screen when we ask them to verify their phone number:

Login Challenge interstitial page

Can users skip the interstitial asking to enter their phone number?

Yes, users can skip the interstitial that asks them to verify their phone number. They can skip this interstitial an unlimited number of times.

Phone verification

If users in my domain don’t have a corporate phone, is there another way to verify their accounts?

Yes, there are different challenges and users can select a different verification method like entering their usual login location instead of phone or SMS verification.

How can a user update the phone number associated with their account?

Either the user or the administrator can update the phone number through the account settings.

Can the user opt to verify criteria other than their phone number to challenge logins?

If the user doesn’t enter their phone number, other challenges will apply like entering their usual login location.

Disabling the challenge

Can I disable the Login Challenge if the user can't verify their identity?

Sometimes there are situations where an authorized user cannot verify their identity. For example, they may not have a phone signal so they are unable to receive the verification code.

If this happens you can temporarily disable the Login Challenge to enable them to sign in:

  1. Sign in to the Google Admin console
  2. Find the user account.
  3. Click the row for the user account to display the user information page.
  4. Click Security.
  5. Click Disable Login Challenge.

The Login Challenge will be disabled for a period of 10 minutes to allow the user to sign in.

You can also change the user's password to grant access to a session that is locked because the user cannot verify their identity.

Can I turn the Login Challenge off for my domain?

No, you cannot turn this feature off for your entire domain. You can only turn it off temporarily on a per-user basis.

Can the user turn this off themselves from their account settings?

No, only an administrator can turn the Login Challenge off temporarily.

Administrators

How can an administrator who is unable to verify their identity regain access to their account?

They can bypass the challenge and regain access to their account by resetting their password. To do this, click the Click here to reset your password instead link at the bottom of the Login Challenge screen.

What if a super administrator can't verify their identity?

If a super administrator user is unable to verify their identity, then another super administrator (if available) can temporarily disable the Login Challenge for them as described in the steps above.

Alternatively, the super administrator can bypass the Login Challenge by resetting their password. To do this click the Click here to reset your password instead link at the bottom of the Login Challenge screen.

Note: The automated password reset option is not available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.

Was this article helpful?