Protect Google Workspace accounts with security challenges

Here are a few examples of sensitive actions:

• Disabling 2-step verification
• Allowing an app to access Google data
• Changing the account recovery email address or phone number
• Downloading account data
• Changing the name on the account

A user is presented with the login challenge when a suspicious login is detected, such as the user not following the sign-in patterns that they've shown in the past. A user is presented with a verify-it's-you challenge if they have a risky session when attempting a sensitive action.

Important: Google decides which type of security challenge is appropriate to present to a user based on multiple security and usability factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.

2-Step Verification (2SV) is a type of login challenge. As an administrator, you can enforce the 2SV login challenge for your users. By doing so, they won't receive another type of risk-based login challenge.

If you don't enforce 2SV for your users, or if a user doesn't have it on, Google decides which type of login challenge is appropriate to present to that user. The type of login challenge that's appropriate is based on multiple security and usability factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.

Yes. For details, see Set up a recovery phone number or email address. 

2-Step Verification (2SV) is a type of login challenge. When your users have it on, they won't get another login challenge. For the same reason, Admin Reports display each 2-Step Verification as a login challenge​.​

It depends on how you've configured SSO in your organization:

• If you’ve configured an SSO profile for your organization - By default, login challenges aren’t enabled. However, you can set up post SSO verification to allow additional risk-based authentication challenges and 2-Step Verification (2SV) if configured.
• If you’re using another SSO profile, any additional login challenges (including 2SV, if configured) are automatically applied.

Yes, all Google Workspace editions include extra security questions and login challenges.

We determine whether a sign-in is suspicious when our risk-analysis system identifies an attempt that’s outside the normal pattern of user behavior. For example, a user might try to sign in from an unusual location or in a manner associated with abuse.

Yes, there are different types of login challenges. Depending on the information that’s available for a user’s account, users are presented with a different type of login challenge, such as entering their employee ID or recovery email address. If a user doesn’t have access to their phone, they can use backup codes to sign in. For details, see Sign in using backup codes.

The user can update the recovery information through the account settings.

If the user doesn’t enter a recovery phone number, other types of login challenges apply, such as entering their recovery email address or using their employee ID.

Yes, an administrator can turn off a login or verify-it's-you challenge for 10 minutes. 

In some situations, an authorized user can’t verify their identity. For example, they might not have a phone signal and can’t get the verification code. Or, they can’t remember or find their employee ID. If this happens, as a super administrator you can turn off the login or verify-it's-you challenge for 10 minutes to allow them to sign in or complete the sensitive action. Exercise caution when turning off login or verify-it's-you challenges, as the account is less secure from account hijackers during the 10-minute window.

No, you can’t turn off this feature for your entire organization. You can only turn it off temporarily on a per-user basis.

No, only an administrator can turn off the login or security challenges temporarily.

As an administrator, you can regain access to your account by following the prompts on the login page to reset your password.

If you're a Google Workspace administrator who's having trouble signing in to your admin account, go to Recovering administrator access to your account for instructions.

If a super administrator user can't verify their identity, then another super administrator (if available) can temporarily turn off the login challenge for them, as described in the steps above.

Alternatively, the super administrator can bypass the login challenge by resetting their password.

Note: The automated password reset option isn't available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.