Set up 2-Step Verification

Deploy 2-Step Verification

You and your users play important roles in setting up 2-Step Verification.

Applying 2-Step Verification settings

You can customize 2-Step Verification settings for organizational units and exception groups—a group of users within organizational unit. For example, require security keys for a small team in your Sales organizational unit.

How exception groups work

  • You can assign one exception group to an organizational unit.
  • Users in the exception group must belong to the organizational unit.
  • 2-Step Verification settings apply to users in the exception group (not to group addresses or nested groups).
  • Create the groups in Admin console, Groups API, or Directory Sync (not Google Groups).

For easier identification, you might include the organizational unit in the name of exception groups (for example, exgrp_OU_name).

Step 1: Notify users of 2-Step Verification deployment (required)

Before deploying 2-Step Verification, communicate your company’s plans to your users, including:

  • Describe 2-Step Verification and why your company is using it.
  • Indicate whether 2-Step Verification is optional or required.
  • If necessary, provide the date by which users must turn on 2-Step Verification.
  • Indicate which 2-Step Verification method is required or recommended.

For details, go to Best practices for 2-Step Verification.

Step 2: Set up basic 2-Step Verification (required)

Next, let your users turn on 2-Step Verification. By default, users can turn on 2-Step Verification and use any verification method(G Suite accounts created after December 2016 have 2-Step Verification turned off by default).

Allow users to turn on 2-Step Verification
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand then2-Step Verification.

  3. On the right, select an organizational unit or exception group.
  4. Let users turn on 2-Step Verification and use any verification method, but don't require 2-Step Verification yet:
    • Check Allow users to turn on 2-Step Verification.
    • Select Enforcement > Off.
  5. Click Save.
Tell your users to enroll in 2-Step Verification
  1. Tell your users to enroll in 2-Step Verification by following the instructions in Turn on 2-Step Verification.
  2. Provide instructions for enrolling in 2-Step Verification methods:

Step 3: Enforce 2-Step Verification (optional)


Enforcing 2-Step Verification makes it required for your users. Users who aren’t enrolled in 2-Step Verification can’t sign in to their accounts.

Select advanced 2-Step Verification settings
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand then2-Step Verification.

Verify user enrollment in 2-Step Verification
Make sure users are enrolled in 2-Step Verification before turning on enforcement. Users who aren’t enrolled won’t be able to sign in to their accounts.
  1. From the Admin console Home page, go to Reports.
  2. Check reports to find which users who aren’t enrolled. Learn more
    This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, see Manage a user’s security settings.
  3. Inform users who aren’t enrolled that they need to enroll or risk being locked out of their accounts.
Turn on enforcement
  1. Choose when to start enforcing 2-Step Verification:
    • Click On or Turn on enforcement now—Starts immediately.
    • Click On or Turn on enforcement from date—Starts on a date you specify.
  2. If you selected to enforce 2-Step Verification at a specific date, click the start date on the calendar. Users see reminders to enroll in 2-Step Verification when they sign in.
  3. Click Save.
Protect new users from being locked out of their accounts
When you enforce 2-Step Verification, give new employees time to enroll before enforcement is applied to their accounts. You can do this by defining a new user enrollment period. During this period, users can sign in with just their passwords.
  1. In New user enrollment period, select a time period from 1 day to 6 months.
    This is how long new users have after their first successful sign-in to enroll in 2-Step Verification.
  2. Click Save.

Step 4: Select enforcement options (optional)

Select a 2-Step Verification method to enforce

When you enforce 2-Step Verification, the enforcement method defaults to “Any.” Consider using security keys, which are the most secure 2-Step Verification method. See Best practices for 2-Step Verification.

  1. Select an enforcement method:
    • Any—Users can set up any 2-Step Verification method.
    • Any except verification codes via text, phone call—Users can set up any 2-Step Verification method except using their phones to receive 2-Step Verification verification codes.
    • Only security key—Users must set up a security key.
      Option: Let users temporarily sign in with a security code (useful when a user loses their security key). Select the length of this grace period, which starts when you generate the security code for the user.
  2. Click Save.
Ensure a smooth transition to an enforcement policy

When you enforce 2-Step Verification, existing users without compatible 2-Step Verification methods will be locked out of their accounts when their active sessions expire. You’ll have to help them recover their accounts so they can sign in. Sample scenarios:

  • ​You’re changing from a policy of 2-Step Verification being optional to enforcing 2-Step Verification.
  • ​​You enforce 2-Step Verification but allow users to choose any method. You're changing to allow any method except using phones to receive 2-Step Verification verification codes via text message or voice call.
  • ​​You’re changing from a policy of 2-Step Verification being optional, allowing any method, or allowing any method except text or voice call—to requiring security keys as the only 2-Step Verification method.

Communicate your plans to enforce 2-Step Verification

Communicate your plans and enforcement date before setting an enforcement policy. Give users time to add a 2-Step Verification method. For new employees, set up a new user enrollment period as described in “Protect new users from being locked out of their accounts.”

If users don't comply by the enforcement date

You might have users who haven’t set up an appropriate 2-Step Verification method by your enforcement date. You can give these users extra time to enroll by putting these users into an exception group where 2-Step Verification isn’t enforced until they can add a 2-Step Verification method. See Avoid account lockouts when 2-Step Verification is enforced.

While this workaround allows your users to sign in, it’s not recommended as a standard practice because those user accounts aren’t protected by 2-Step Verification while they're in the exception group.

Enforcing "Any except verification codes via text, phone call"

If users can currently use any 2-Step Verification method, you probably have users who have text and voice call as their only 2-Step Verification method. Users won’t be able to sign in using a phone number they used in the past to receive 2-Step Verification verification codes via text or voice call. They won’t be able to add any new phone numbers.

Avoid locking out these users from their accounts:

  • Before setting this policy, tell your users to add and start using another 2-Step Verification method. Also inform them that they won’t be able to get 2-Step Verification verification codes on their phones after a specified enforcement date.
  • Use the login_verification Login Audit activity event to track users who sign in using 2-Step Verification verification codes they receive via text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticated using a text or voice verification code.

Enforcing "Only security key"

Before enforcing this policy, review user security settings to make sure that your users set up their security keys.

Also, check reports to find which users registered security keys. Learn more
This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, see Manage a user’s security settings.

Allow backup codes when users lose security keys
If you enforce security keys as the only accepted 2-Step Verification method and a user loses their security key, they need a way to sign in while they get a new key. You can allow users to use backup codes for a specified grace period.
  1. From the Advanced security settings page, next to 2-Step Verification policy suspension grace period, select a time period from 1 day to 1 week.
    The grace period starts when you generate the backup codes.
  2. Click Save.
Allow security codes when security keys aren't supported
If you enforce security keys, some of your users might have trouble using some apps. Users can’t use their Google credentials to sign in to web apps that run on platforms that don’t support security keys. These platforms include mobile iOS, Safari, and Internet Explorer. Here are some examples:
  • A corporate web app runs only on a browser that doesn’t support security keys
    Priya works in Finance, and she uses a financial web app that only runs on Internet Explorer 8.0. Because security keys are enforced, she can’t sign in to the web app using her Google Account.
  • Initial iPhone setup
    Nigel is in Sales and has a new iPhone. To set up the iPhone, he needs to sign in to his Google Account on the iPhone. But because Safari and mobile iOS don’t support security keys, he can’t sign in and can’t set up the iPhone.

Enable security codes

When a platform doesn’t support security keys, you can allow users to sign in and authenticate with a special, one-time security code. Users can generate this code only on a device that supports security keys.

  1. From the Advanced security settings page, under Allowed 2-Step Verification methods, Only Security Key, select an option:
    • Don't allow users to generate security codes—Users can’t generate security codes. This is the default if you signed up for G Suite before November 20, 2019.
    • Allow security codes without remote access—Users can generate security codes and use them on the same device or local network (NAT or LAN). This is the default if you signed up for G Suite on or after Nov 20, 2019.
    • Allow security codes with remote access—Users can generate security codes and use them on other devices or networks, such as when accessing a remote server or a virtual machine.
  2. Click Save.

How security codes work

Security codes are different from one-time codes that apps like Google Authenticator generate. To generate a security code, a user needs a device where they can use their security key. A user taps the security key to generate a security code.

When to allow security codes

When you enforce security keys, allowing security codes lets users get their work done when security keys aren’t supported. However, because security codes aren’t as strong as security keys for 2-Step Verification, you should allow security codes only for users who need to work on platforms or apps that don’t support security keys.

User experience

Here’s how Priya in Finance can use the financial web app that runs on Internet Explorer 8.0.

  1. Priya launches Internet Explorer 8.0 and tries to sign in to the finance app.
  2. She follows the prompts to get a one-time code security code on a device where she can use her security key.
  3. Priya launches Chrome on her laptop, and signs in to her Google Account. She might be prompted for her security key if she hasn’t signed in to her Google Account on this browser before.
  4. She navigates to https://g.co/sc.
  5. Priya taps her security key and generates a security code.
  6. She copies the security code and uses it to complete the Internet Explorer web app sign-in.

Currently only Chrome and Firefox support security keys. One-time security codes are valid for 5 minutes.

Let users avoid repeated 2-Step Verification on trusted devices

Allowing users to avoid 2-Step Verification on trusted devices isn't recommended unless your users frequently move between devices. 

The first time a user signs in from a new device, they can check a box to trust their device and skip 2-Step Verification on that device. The user isn't asked again for 2-Step Verification on that device unless the user clears their cookies, you reset the user's sign-in cookies, or the user revokes the device in their account. 

If you don't allow user to trust a device, users must use 2-Step Verification every time they sign in.

In the new 2-Step Verification interface:

In the Frequency setting, click Allow user to trust the device. 

In the old 2-Step Verification interface:

In the 2-Step Verification frequency setting, click Allow user to trust the device at 2-Step Verification.

Step 5: Manage security keys (optional)

Add a security key for a user

You can add a security key to a user account. If the user isn’t enrolled in 2-Step Verification, they’re automatically enrolled when you enroll a security key for them. See Manage a user's security settings.

 

Was this helpful?
How can we improve it?