Follow these best practices to improve the security of your administrator accounts and by extension, of your business as a whole.
If someone manages to get the admin password, 2-Step Verification (2SV) helps protect the account from unauthorized access. It’s especially important for super admins to use 2SV because their accounts control access to all business and employee data in the organization.
There are several 2SV methods, including security keys, Google prompt, Google Authenticator, and backup codes. Security keys are small hardware devices that are used for second factor authentication. They help to resist phishing threats and are the most secure form of 2SV.
A business should have more than one super administrator account, each managed by a separate individual (avoid sharing an admin account). If one account is lost or compromised, another super admin can perform critical tasks while the other account is recovered.
Give each super administrator 2 accounts: Their own super admin account, and a separate account for daily activities.
While signed in as a super administrator, you can control all aspects of your company’s account. These include critical activities such as managing billing, user licenses, and other administrators. To minimize access to these controls, each super administrator should use a separate account for day-to-day activities that doesn't have super admin privileges. Also, as stated earlier, they shouldn't share the same super admin account but should instead each have their own identifiable super admin account.
For example, if Maria and James are super admins, they should each have one identifiable admin account and one user account, as follows:
- email@example.com, firstname.lastname@example.org
- email@example.com, firstname.lastname@example.org
They should only sign in to a super admin account to perform super admin tasks, such as setting up 2-Step Verification (2SV) or helping another admin recover their account.
Important: If you don't sign in frequently with your primary admin account (which is set up in the Google Admin console at Account settings > Profile > Contact info), you'll miss important mandatory service announcements from Google. To make sure you receive these announcements, set up a secondary email contact using an account that you use on a day-to-day basis. For instructions, see Send billing and account notifications to another admin.
Staying signed in to a super admin account when you aren’t doing specific administrative tasks can increase exposure to phishing attacks. Super admins should sign in as needed to do specific tasks and then sign out.
You can let an administrator perform daily administrator tasks without granting them full super admin privileges. Just assign one or more admin roles to their account. For example, you could grant an admin permissions to create user accounts and reset passwords, but not to delete a user account.
You can assign pre-built admin roles, or create custom roles with sets of permissions you choose. In any case, try to grant each admin access only to the resources and tools they need for their job role.
Get started here: About administrator roles
Monitor admin activity and track potential security risks by setting up admin email alerts for certain events, such as suspicious sign-in attempts, compromised mobile devices, or changes by another admin.
When you turn on an alert for an activity, you receive an email each time that activity happens.
The Admin audit log is another tool to monitor admin activity. The Admin audit log shows a history of every task performed in the Google Admin console, which admin performed the task, the date, and the IP address where the admin signed in.
Activity from the super admin appears in the Event Description column as _SEED_ADMIN_ROLE, followed by the username.
Admins should add recovery options to their admin account.
If an admin forgets their password, they can click the Need help? link on the sign-in page and Google will send a new password via phone, text, or email. To do that, Google needs a recovery phone number and email address for the account.
If a super admin can’t reset their password using email or phone recovery options, and another super admin isn’t available to reset the password, they can contact Google Support.
To verify identity, Google asks questions about the organization’s account:
- The date the account was created.
- Original secondary email address associated with the account (email used to sign up).
- Google order number associated with the account (if applicable).
- Number of user accounts created.
- Billing address linked to the account.
- Type of credit card used and its last 4 digits.
Google also asks the admin to verify the DNS ownership of the domain, so the admin needs to have the credentials to edit the domain DNS settings with their registrar.
Admins should enroll more than one security key for their admin account and store it in a safe place. If their primary security key is lost or stolen, they can still sign in to their account.
If an admin loses their security key or phone (where they receive a 2SV verification code or Google prompt), they can use a backup code to sign in.
Admins should generate and print backup codes in case they’re needed. Keep backup codes in a secure location.
If an admin can’t sign in to their admin account, another admin can generate a backup code for them so they can sign in using 2SV.