Verify a user’s identity with extra security

If we suspect that an unauthorized person is trying to access one of your user’s accounts, we present them with an extra security question or challenge. For example, we might send a verification code to the real user’s phone. If the person can’t answer the question or challenge, they can’t access the account.

Types of challenges

Google decides which challenge is appropriate to present to a user based on multiple security factors.

Mobile device challenges

  • A prompt that asks the user to tap Yes and then tap a number on their phone. 
  • A text message or phone call with a verification code to the user's recovery device with instructions to access their account. 

If your organization uses Google Mobile Management, we might ask users to use their managed mobile device to verify their identity (the device they normally use to access their corporate account). For more information about Google Mobile Management, see Manage your organization's mobile devices.

The user sees one of these screens when we ask them to verify their identity using their mobile device:

Employee ID login challenge

You can use employee IDs as a challenge. Employee IDs are more difficult to guess and phish than other types of identity challenges. To use the employee ID login challenge, you need to make sure that IDs are associated with your users' accounts. For more details, see Add employee ID as a login challenge
The user sees this screen when Google asks them to verify their identity using their employee ID:

Recovery email challenge

The suspicious user must enter a secondary (recovery) email address as a challenge. The user sees this screen when Google asks them to verify their identity through their recovery email:

Before you can use challenges 

Before we can verify a user's identity with their recovery phone number or email account, the user needs to give us those details. When a user signs in, they see a message asking them to provide a recovery phone number or email account. The message appears periodically until the user provides their details. If you use the employee ID login challenge, you need to make sure that IDs are associated with your users' accounts. For details, see Add employee ID as a login challenge.

Enable challenges with SSO

Many customers use third-party identity providers (IdPs) to authenticate users who use single sign on (SSO) through SAML. The third-party IdP authenticates users and no additional risk-based challenges are presented to them. Any Google 2-Step Verification (2SV) configuration is ignored. This is the default behavior.

You can set a policy to allow additional risk-based authentication challenges and 2SV if it’s configured. If Google receives a valid SAML assertion (authentication information about the user) from the IdP during user sign-in, Google can present additional challenges to the user.

Use cases for additional challenges with SSO

  • You want to use security keys to protect access to sensitive Google-hosted resources for maximum assurance, and your current IdP doesn’t support security keys.
  • You want to save the cost of using a third-party identity provider because in most cases users access Google resources.
  • You don’t want Google authentication (Google as identity provider), but want to leverage all of Google’s risk-based challenges.

What happens when you apply additional challenges

For a smooth implementation, tell your users about the new policy and when you plan to apply it. Here’s what happens when you apply additional challenges at sign-in:
  • If you have existing 2SV policies, such as 2SV enforcement, those policies apply immediately.
  • Users affected by the new policy and who are enrolled in 2SV get a 2SV challenge at sign-in.
  • Based on Google sign-in risk analysis, users might see risk-based challenges at sign-in.

Set up post SSO verification

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenLogin challenges.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. On the left, select the organizational unit where you want to set the policy.
    For all users, select the top-level organizational unit. Initially, organizational units inherit the settings of its parent.
  4. Select Logins using SSO are subject to additional verifications.
    Google creates an entry in the Admin audit log to indicate the policy change. With the new policy, Google can present risk-based authentication challenges and 2-Step Verification if it’s configured. The default is to bypass additional verification.
  5. On the bottom right, click Save.

FAQ

Extra questions and challenges  |  Phone verification  |  Disabling a challenge  |  Administrators

Extra questions and challenges

When does a user see a question or challenge?

A user is presented with the login challenge when a suspicious login is detected, such as the user not following the sign-in patterns that they've shown in the past. 

Important: Google decides which challenge is appropriate to present to a user based on multiple security and usability factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.

Can users update their recovery information? We're using 2-Step Verification. Why do we need login challenges?

2-Step Verification​ (2SV)​ is a type of login challenge. ​W​hen your users have it on, they won't get another login challenge. For the same reason, Admin Reports display each 2-Step Verification as a login challenge​.​

How do login challenges work when I have SSO enabled?

By default, challenges aren’t enabled for organizations with single sign-on (SSO). Using the Post-SSO verification setting in the Admin console, you can set a policy to allow additional risk-based authentication challenges and 2-Step Verification (2SV) if configured.

Is this feature available in G Suite for Education?

Yes, all G Suite editions include extra security questions and challenges.

When does Google consider a sign-in attempt suspicious?

We determine whether a sign-in is suspicious when our risk-analysis system identifies an attempt that’s outside the normal pattern of user behavior. For example, a user might try to sign in from an unusual location or in a manner associated with abuse.

Phone verification

If users in my organization don’t have a corporate phone, is there another way to verify their accounts?

Yes, there are different challenges. Depending on the information that’s available for a user’s account, users are presented with a different challenge, such as entering their employee ID or recovery email address. If a user doesn’t have access to their phone, they can use backup codes to sign in. For details, see Sign in using backup codes.

How can a user update the recovery phone number or email associated with their account?

The user can update the recovery information through the account settings.

Can a user opt to verify criteria other than their recovery phone number?

If the user doesn’t enter a recovery phone number, other challenges apply, such as entering their recovery email address or using their employee ID.

Disabling a challenge

If the user can't verify their identity, can I disable the login challenge?

In some situations, an authorized user can’t verify their identity. For example, they might not have a phone signal and can’t get the verification code. Or, they can’t remember or find their employee ID.

If this happens, as an administrator you can temporarily turn off the login challenge to allow them to sign in:

  1. Sign in to the Google Admin console
  2. Find the user account.
  3. Click the row for the user account to display the user information page.
  4. Click Security.
  5. Click Login challenge.
  6. Click Turn Off For 10 Minutes.

It might take several minutes for this change to take effect on the user account. At that point, the login challenge is off for 10 minutes to allow the user to sign in. 

You can also change the user's password to grant access to a session that is locked because the user can’t verify their identity.

Can I turn the login challenges off for my organization?

No, you can’t turn off this feature for your entire organization. You can only turn it off temporarily on a per-user basis.

Can the user turn this off themselves from their account settings?

No, only an administrator can turn the login challenges off temporarily.

Administrator challenges

How can an administrator who can’t verify their identity re-enter their account?

As an administrator, you can bypass the challenge and regain access to your account by resetting your password. At the bottom of the Login Challenge screen, click the Click here to reset your password instead link.

What if a super administrator can't verify their identity?

If a super administrator user can't verify their identity, then another super administrator (if available) can temporarily turn off the login challenge for them, as described in the steps above.

Alternatively, the super administrator can bypass the login challenge by resetting their password. At the bottom of the Login Challenge screen, click the Click here to reset your password instead link.

Note: The automated password reset option isn't available to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.

Was this helpful?
How can we improve it?