Security challenges are additional security measures to verify a user's identity. There are two types of security challenges:
- Login challenge—If we suspect that an unauthorized user is trying to sign in to a Google Workspace account, we present them with a login challenge. If the user can't enter the requested information, we won't let them sign in to the account.
- Verify-it's-you challenge—If a user is attempting actions that are considered sensitive, we present them with a verify-it's-you challenge. If the user can't enter the requested information, we disallow the sensitive action (they can keep using their account as normal).
Before you can use security challenges
Make sure your Google Workspace accounts have the information we need:
- Remind employees to add a recovery phone number and email address to their account. We will periodically ask them to add these details when they sign in to their accounts.
- Add employee IDs to your user accounts. See Add employee ID as a login challenge.
Types of login challenges
Verify-it's-you challenges for sensitive actions
If a Google Workspace user attempts a sensitive action, that user is sometimes presented with a verify-it's-you challenge. If the user can't enter the requested information, Google will disallow the sensitive action.
Enable login challenges with SSO
If your organization uses third-party identity providers (IdPs) to authenticate single sign-on (SSO) users through SAML, you can present these SSO users with additional risk-based login challenges and apply 2-Step Verification (if configured), after the IdP authenticates a user during sign-in.
The default post-SSO verification setting depends on SSO user type:
- For users signing in using the SSO profile for your organization, the default setting is to bypass additional login challenges and 2SV.
- For users signing in using other SSO profiles, the default setting is to apply additional login challenges and 2SV.
To change the default settings for either user type, follow the steps in Set up post SSO verification below.
FAQ
Extra security questions and login challenges | Phone verification | Disabling a login or security challenge | Administrators