Set up 2-Step Verification

How 2-Step Verification works with third-party apps

Your users might have third-party apps such as legacy email apps, or your company might use a third-party identity provider (IdP) to authenticate users. Here's how 2-Step Verification (2SV) works with some types of third-party apps.

Single sign-on services

Using single sign-on (SSO), employees can sign in once to use many cloud apps. An identity provider (IdP) authenticates users to access company resources.

If you’re using a third-party IdP to authenticate users for accessing Google products and SSO is enabled for your top-level organization, Google's 2-Step Verification doesn't apply when users sign in through that SSO service.

Super administrators don’t use SSO when signing in to their administrator accounts. If they’re enrolled in 2SV, they must provide a second authentication factor when they sign in.

Apps that don't support the latest protocols

Some apps don’t support the latest authentication protocols and don’t work for users with 2SV.  Legacy email apps are examples.

If a user sees a “password incorrect” error when trying to sign in, an App password could solve the problem. App passwords give apps permission to access a Google Account without the user divulging their Google password to the app.

App passwords bypass 2SV

Because App passwords bypass 2SV:

  • App passwords are discouraged—It’s better to install more secure apps that use modern authentication protocols. However, if some of your users have legacy apps that require App passwords, you’ll need to allow your users to access less secure apps. Your users can then sign in using an App password.
  • Enforcing security keys disables App passwords—You can't require users to use a security key for 2SV and also let them use App passwords to sign in to legacy apps. If you enforce security keys as the 2SV method for your users, your company has security requirements that you don't want to circumvent.





Was this helpful?
How can we improve it?