Login Challenge for suspicious sign-ins
If we detect that an unauthorized person is attempting to access a user's account, we will present them with a Login Challenge that asks the person to verify their identity. This is designed to prevent unwanted access to the account, even if the person has obtained the username and password.
For example, if we detect a suspicious login we might send an SMS with a verification code to the user's phone and ask them to enter this code before we grant access to their account. This drastically reduces the chances of an unauthorized person accessing the account because they would have to get a hold of the user's phone as well as the username and password.
Before we can verify a user's identity via their phone, we need them to tell us their phone number. The first time a user logs in they will see an interstitial page asking to verify their phone number. Until they verify their phone number the interstitial page will be presented periodically and they'll be challenged at every login. After they have verified their phone number, they will ONLY be challenged when there is a suspicious login.
Login Challenge FAQ
Login ChallengeWhat does the Login Challenge look like?
The user will see this screen if we ask them to verify their identity via SMS or phone:
The user will see this screen if we ask them to verify their identity via their usual login location:
A user will be presented with the Login Challenge if a suspicious login is detected, such as the user not following the sign in patterns that they have shown in the past.
Users that have 2-step verification enabled will not receive the Login Challenge or the interstitial page.
The Login Challenge is not enabled for SSO domains at this time, and users will not be prompted with the interstitial that asks them to verify their phone number.
All editions will benefit from this feature.
K-12 EDU users may be asked to enter their usual login location when a suspicious login is detected. Administrators can temporarily disable the login challenge if the user is unable to verify by login location. Learn more below about the criteria Google uses to identify suspicious login activity.
We determine whether a login is suspicious when our risk analysis system identifies a login as outside the normal pattern of user behavior. For example, a user logging in from an unusual location or in a manner associated with abuse.
Interstitial pageWhat does the interstitial page look like?
The user will see this screen when we ask them to verify their phone number:
Yes, users can skip the interstitial that asks them to verify their phone number. They can skip this interstitial an unlimited number of times.
Phone verificationIf users in my domain don’t have a corporate phone, is there another way to verify their accounts?
Yes, there are different challenges and users can select a different verification method like entering their usual login location instead of phone or SMS verification.
Either the user or the administrator can update the phone number through the account settings.
If the user doesn’t enter their phone number, other challenges will apply like entering their usual login location.
Disabling the challengeCan I disable the Login Challenge if the user can't verify their identity?
Sometimes there are situations where an authorized user cannot verify their identity. For example, they may not have a phone signal so they are unable to receive the verification code.
If this happens you can temporarily disable the Login Challenge to enable them to sign in:
- Sign in to the Google Admin console.
- Find the user account.
- Click the row for the user account to display the user information page.
- Click Security.
- Click Disable Login Challenge.
The Login Challenge will be disabled for a period of 10 minutes to allow the user to sign in.
You can also change the user's password to grant access to a session that is locked because the user cannot verify their identity.
No, you cannot turn this feature off for your entire domain. You can only turn it off temporarily on a per-user basis.
No, only an administrator can turn the Login Challenge off temporarily.
AdministratorsHow can an administrator who is unable to verify their identity regain access to their account?
They can bypass the challenge and regain access to their account by resetting their password. To do this, click the Click here to reset your password instead link at the bottom of the Login Challenge screen.
If a super administrator user is unable to verify their identity, then another super administrator (if available) can temporarily disable the Login Challenge for them as described in the steps above.
Alternatively, the super administrator can bypass the Login Challenge by resetting their password. To do this click the Click here to reset your password instead link at the bottom of the Login Challenge screen.
Note: The automated password reset option is not available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.