Set up 2-Step Verification

Protect Google Workspace accounts with security challenges

Security challenges are additional security measures to verify a user's identity. There are two types of security challenges:

  • Login challenge—If we suspect that an unauthorized user is trying to sign in to a Google Workspace account, we present them with a login challenge. If the user can't enter the requested information, we won't let them sign in to the account.
  • Verify-it's-you challenge—If a user is attempting actions that are considered sensitive, we present them with a verify-it's-you challenge. If the user can't enter the requested information, we disallow the sensitive action (they can keep using their account as normal).

Before you can use security challenges

Make sure your Google Workspace accounts have the information we need:

  • Remind employees to add a recovery phone number and email address to their account. We will periodically ask them to add these details when they sign in to their accounts.
  • Add employee IDs to your user accounts. See Add employee ID as a login challenge.

Open all   |   Close all

Types of login challenges

Verify-it's-you challenges for sensitive actions

If a Google Workspace user attempts a sensitive action, that user is sometimes presented with a verify-it's-you challenge. If the user can't enter the requested information, Google will disallow the sensitive action.

Enable login challenges with SSO

If your organization uses third-party identity providers (IdPs) to authenticate single sign-on (SSO) users through SAML, you can present these SSO users with additional risk-based login challenges and apply 2-Step Verification (if configured), after the IdP authenticates a user during sign-in.

The default post-SSO verification setting depends on SSO user type:

  • For users signing in using the SSO profile for your organization, the default setting is to bypass additional login challenges and 2SV.
  • For users signing in using other SSO profiles, the default setting is to apply additional login challenges and 2SV.

To change the default settings for either user type, follow the steps in Set up post SSO verification below.

FAQ

Extra security questions and login challenges  |  Phone verification  |  Disabling a login or security challenge  |  Administrators

Extra security questions and login challenges

Phone verification

Disabling a login challenge or verify-it's-you challenge

Administrator login challenges

Was this helpful?

How can we improve it?
13015068516102641686
true
Search Help Center
true
true
true
true
true
73010
Search
Clear search
Close search
Main menu
false
false
false