If we suspect that an unauthorized user is trying to sign in to a Google Workspace account, we present them with a login challenge. If the person can't enter the requested information, we won't let them sign in to the account.
Before you can use login challenges
Make sure your Google Workspace accounts have the information we need:
- Remind employees to add a recovery phone number and email address to their account. We will periodically ask them to add these details when they sign in to their accounts.
- Add employee IDs to your user accounts. See Add employee ID as a login challenge.
Types of login challenges
User chooses how to verify their identity
Google uses an app installed on the user's phone to confirm their identity
Google sends a text message with a verification code
Google calls the user's phone and provides a verification code
If your organization uses third-party identity providers (IdPs) to authenticate single sign-on (SSO) users through SAML, you can present these SSO users with additional risk-based login challenges, depending on how you use third-party IdPs:
- If you’ve configured an SSO profile for your organization, you can choose whether to apply additional authentication challenges or 2-Step Verification (2SV) to users that profile is applied to. After the IdP authenticates a user during sign-in, Google can present additional login challenges or apply 2SV to the user.
Note: The default behavior for these users is to bypass additional challenges. To turn them on, follow the steps in Set up post SSO verification below.
- If you’re using another third-party profile for OUs or groups in your organization, any risk-based authentication challenges and 2SV (when turned on), are automatically applied to these users.
- You want to use security keys to protect access to sensitive Google-hosted resources for maximum assurance, and your current IdP doesn’t support security keys.
- You want to save the cost of using a third-party identity provider because in most cases users access Google resources.
- You don’t want Google authentication (Google as identity provider), but want to leverage all of Google’s risk-based login challenges.
- If you have existing 2SV policies, such as 2SV enforcement, those policies apply immediately.
- Users affected by the new policy and who are enrolled in 2SV get a 2SV login challenge at sign-in.
- Based on Google sign-in risk analysis, users might see risk-based login challenges at sign-in.
From the Admin console Home page, go to SecurityLogin challenges.
- On the left, select the organizational unit where you want to set the policy.
For all users, select the top-level organizational unit. Initially, organizational units inherit the settings of its parent.
- Click Post-SSO verification.
- Select Logins using SSO are subject to additional verifications (if appropriate) and 2-Step Verification (if configured).
Google creates an entry in the Admin audit log to indicate the policy change. With the new policy, Google can present risk-based authentication login challenges and 2-Step Verification if it’s configured. The default is to bypass additional verification.
- On the bottom right, click Save.
Extra security questions and login challengesWhen does a user see a security question or login challenge?
A user is presented with the login challenge when a suspicious login is detected, such as the user not following the sign-in patterns that they've shown in the past.
Important: Google decides which type of login challenge is appropriate to present to a user based on multiple security and usability factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.
2-Step Verification (2SV) is a type of login challenge. As an administrator, you can enforce the 2SV login challenge for your users. By doing so, they won't receive another type of risk-based login challenge.
If you don't enforce 2SV for your users, or if a user doesn't have it on, Google decides which type of login challenge is appropriate to present to that user. The type of login challenge that's appropriate is based on multiple security and usability factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.
Yes. For details, see Set up a recovery phone number or email address.
2-Step Verification (2SV) is a type of login challenge. When your users have it on, they won't get another login challenge. For the same reason, Admin Reports display each 2-Step Verification as a login challenge.
It depends on how you've configured SSO in your organization:
- If you’ve configured an SSO profile for your organization - By default, login challenges aren’t enabled. However, you can set up post SSO verification to allow additional risk-based authentication challenges and 2-Step Verification (2SV) if configured.
- If you’re using another SSO profile, any additional login challenges (including 2SV, if configured) are automatically applied.
Yes, all Google Workspace editions include extra security questions and login challenges.
We determine whether a sign-in is suspicious when our risk-analysis system identifies an attempt that’s outside the normal pattern of user behavior. For example, a user might try to sign in from an unusual location or in a manner associated with abuse.
Phone verificationIf my users don’t have a corporate phone, is there another way to verify their accounts?
Yes, there are different types of login challenges. Depending on the information that’s available for a user’s account, users are presented with a different type of login challenge, such as entering their employee ID or recovery email address. If a user doesn’t have access to their phone, they can use backup codes to sign in. For details, see Sign in using backup codes.
The user can update the recovery information through the account settings.
If the user doesn’t enter a recovery phone number, other types of login challenges apply, such as entering their recovery email address or using their employee ID.
Disabling a login challengeIf the user can't verify their identity, can I disable the login challenge?
Yes, an administrator can turn off login challenge for 10 minutes.
No, you can’t turn off this feature for your entire organization. You can only turn it off temporarily on a per-user basis.
No, only an administrator can turn off the login challenges off temporarily.
Administrator login challengesHow can an administrator who can’t verify their identity re-enter their account?
As an administrator, you can regain access to your account by following the prompts on the login page to reset your password.
If a super administrator user can't verify their identity, then another super administrator (if available) can temporarily turn off the login challenge for them, as described in the steps above.
Alternatively, the super administrator can bypass the login challenge by resetting their password.
Note: The automated password reset option isn't available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.