Login challenges are extra security questions that help to prevent unwanted access to an account. As an administrator, you can add employee ID as an optional extra security question when we suspect that an unauthorized person is trying to access a user’s account.
Important: Google decides which extra security question is appropriate to present to a user based on multiple factors. This means we might not always ask users to confirm their employee ID, even if you have turned that login challenge on.
For more information on the login challenges Google use, see Verify a user’s identity with a login challenge.
Before you begin
To use an employee ID as a login challenge, you must first ensure that the user employee IDs are stored in your users' account attributes. You can do this in the following ways:
- Update the employee IDs directly in the user profile from the Google Admin console.
- Use Google Cloud Directory Sync to export employee IDs from Microsoft® Active Directory® or your directory server to your Google organizational unit.
- Use the Admin SDK Directory API to populate the externalIds.type:organization field with employee IDs.
- Use the CSV upload functionality in the Google Admin console.
When you add the employee ID information to your organizational unit, let your users know where they can find their employee ID and that they might be asked for it when they sign in to their Google Account. Also let them know their employee ID must only be used in official Google sign-in pages. If they prefer to verify their identity another way, they should update their recovery phone number or email address.
Note: If you turn on SSO or 2-Step Verification for your users, the employee ID login challenge isn’t presented.
Turn the employee ID login challenge on or off
From the Admin console Home page, go to SecurityLogin challenges.
To see Security on the Home page, you might have to click More controls at the bottom.
- On the left, select the organizational unit where you want to set a login challenge.
For all users, select the top-level organizational unit. Initially, an organizational unit inherits the settings of its parent.
- Check or uncheck the Use employee ID to keep my users more secure box.
The default setting for the employee ID login challenge is off.
- Click Override to keep the setting the same, even if the parent setting changes.
- If the organizational unit's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).