Verify a user’s identity with a Login Challenge
When G Suite detects that an unauthorized person is attempting to access a user's account, it presents them with a Login Challenge that asks the person to verify their identity. This is designed to prevent unwanted access to the account, even if the person has obtained the account username and password.
For example, when G Suite detects a suspicious login it sends an SMS to the user's phone, calls the user's phone, or sends an email with a verification code to their secondary email account and asks the user to enter this code before it grants access to their account. This significantly reduces the chances of an unauthorized person accessing the account because they would have to acquire the user's phone or secondary email address as well as the account username and password.
Before G Suite can verify a user's identity via their phone or secondary email account, it needs them to provide their phone number or secondary email account. The first time a user logs in they see an interstitial page asking to verify their phone number or secondary email account. Until they verify their phone number or secondary email account the interstitial page will be presented periodically and they'll be challenged at every login. After they have verified their phone number or secondary email account, they will ONLY be challenged when there is a suspicious login.
Login Challenge FAQ
Login ChallengeWhat does the Login Challenge look like?
The user sees this screen when G Suite asks them to verify their identity via SMS or phone:
The user sees this screen when G Suite asks them to verify their identity via their recovery email:
The user sees this screen when G Suite asks them to verify their identity via their usual sign-in location:
A user is presented with the Login Challenge when a suspicious login is detected, such as the user not following the sign in patterns that they've shown in the past.
Users who have 2-Step Verification enabled won't receive the Login Challenge or the interstitial page.
The Login Challenge isn't enabled for SSO domains at this time. Users in SSO domains won't be prompted with the interstitial that asks them to verify their phone number or secondary email address.
All editions benefit from this feature.
K-12 EDU users may be asked to enter their usual login location when a suspicious login is detected. Administrators can temporarily disable the login challenge if the user is unable to verify by login location. Learn more below about the criteria Google uses to identify suspicious login activity.
We determine whether a login is suspicious when our risk analysis system identifies a login as outside the normal pattern of user behavior. For example, a user logging in from an unusual location or in a manner associated with abuse.
Interstitial pageWhat does the interstitial page look like?
The user sees this screen when G Suite asks them to verify their phone number:
The user sees this screen when G Suite asks them to verify their email address:
Yes, users can skip the interstitial page. They can skip it an unlimited number of times.
Phone verificationIf users in my domain don’t have a corporate phone, is there another way to verify their accounts?
Yes, there are different challenges. Users can select a different verification method such as entering their usual login location or their secondary email account instead of phone or SMS verification.
Either the user or the administrator can update the phone number or their secondary email account via the account settings.
If the user doesn’t enter their phone number, other challenges apply such as entering their secondary email account or their usual login location.
Disabling the challengeCan I disable the Login Challenge if the user can't verify their identity?
Sometimes there are situations where an authorized user cannot verify their identity. For example, they may not have a phone signal so they are unable to receive the verification code.
If this happens as an administrator you can temporarily disable the Login Challenge to enable them to sign in:
- Sign in to the Google Admin console.
- Find the user account.
- Click the row for the user account to display the user information page.
- Click Security.
- Click Disable Login Challenge.
The Login Challenge will be disabled for a period of 10 minutes to allow the user to sign in.
You can also change the user's password to grant access to a session that is locked because the user cannot verify their identity.
No, you cannot turn this feature off for your entire domain. You can only turn it off temporarily on a per-user basis.
No, only an administrator can turn the Login Challenge off temporarily.
Verifying administrator identityHow can an administrator who is unable to verify their identity regain access to their account?
As an administrator, you can bypass the challenge and regain access to your account by resetting your password. At the bottom of the Login Challenge screen, click the Click here to reset your password instead link.
If a super administrator user can't verify their identity, then another super administrator (if available) can temporarily disable the Login Challenge for them as described in the steps above.
Alternatively, the super administrator can bypass the Login Challenge by resetting their password. At the bottom of the Login Challenge screen click the Click here to reset your password instead link.
Note: The automated password reset option is not available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.