Set up 2-Step Verification

Deploy 2-Step Verification

You and your users play important roles in setting up 2-Step Verification.

Step 1: Notify users of 2-Step Verification deployment (required)

Before deploying 2-Step Verification, communicate your company’s plans to your users, including:

  • What is 2-Step Verification and why your company is using it
  • Whether 2-Step Verification is optional or required
  • If required, give the date by which users must turn on 2-Step Verification
  • Which 2-Step Verification method is required or recommended.

For details, go to Best practices for 2-Step Verification.

Step 2: Set up basic 2-Step Verification (required)

Next, let your users turn on 2-Step Verification. By default, users can turn on 2-Step Verification and use any verification method. (G Suite accounts created before December 2016 have 2-Step Verification turned off by default).

Applying 2-Step Verification settings

You can customize 2-Step Verification settings for organizational units and exception groups—a group of users within organizational unit. For example, require security keys for a small team in your Sales organizational unit.

How exception groups work

  • You can assign one exception group to an organizational unit.
  • Users in the exception group must belong to the organizational unit.
  • 2-Step Verification settings apply to users in the exception group (not to group addresses or nested groups).
  • Create the groups in Admin console, Groups API, or Directory Sync (not Google Groups).

For easier identification, you might include the organizational unit in the name of exception groups (for example, exgrp_OU_name).

 

Allow users to turn on 2-Step Verification
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand then2-Step Verification.

  3. On the right, select an organizational unit or exception group.
  4. Let users turn on 2-Step Verification and use any verification method, but don't require 2-Step Verification yet.
    • Check Allow users to turn on 2-Step Verification.
    • Select Enforcement > Off.
  5. Click Save.
Tell your users to enroll in 2-Step Verification
  1. Tell your users to enroll in 2-Step Verification by following the instructions in Turn on 2-Step Verification.
  2. Provide instructions for enrolling in 2-Step Verification methods:
Track users' enrollment 

Use reports to measure and track your users' enrollment in 2-Step Verification. 

  • Check users' enrollment, enforcement status, and number of security keys. Go to Reports > User Reports > Security (click Settings and then Settings to select Security Keys). Learn more
  • Check the settings and status for an individual user (real-time status). Learn more
  • View a snapshot of enrollment trends.   Go to Reports > Apps Reports > Accounts. Learn more

  • Identify organizational units and groups that aren't using 2-Step Verification. Learn more
     

Step 3: Enforce 2-Step Verification (optional)

Make sure users are enrolled in 2-Step Verification before turning on enforcement. Users who aren’t enrolled can't sign in to their accounts.

Ensure a smooth transition to an enforcement policy

When you enforce 2-Step Verification, users without compatible 2-Step Verification methods are locked out of their accounts when their active sessions expire. For example, you decide to switch from allowing any 2-Step Verification to requiring security keys. You’ll have to help user recover their accounts so they can sign in. 

Communicate your plans to enforce 2-Step Verification

Communicate your plans and enforcement date before setting an enforcement policy. Give users time to add a 2-Step Verification method. For new employees, set a new user enrollment period.

If users don't comply by the enforcement date

You might have users who haven’t set up the required 2-Step Verification method by your enforcement date.

You can give users extra time to enroll by adding them to an exception group where 2-Step Verification isn’t enforced. While this workaround allows users to sign in, it’s not recommended as a standard practice. Learn how to avoid account lockouts when 2-Step Verification is enforced.

Choose a 2-Step Verification method to enforce

When you enforce 2-Step Verification, the enforcement method defaults to “Any.” Consider using security keys, which are the most secure 2-Step Verification method. Learn more about Best practices for 2-Step Verification

Enforcement methods

  • Any—Users can set up any 2-Step Verification method.
  • Any except verification codes via text, phone call—Users can set up any 2-Step Verification method except using their phones to receive 2-Step Verification verification codes.
  • Only security key—Users must set up a security key.

Considerations when you enforce these methods:  

Any method except verification codes via text, phone call

If you currently allow any 2-Step Verification method, you probably have users who verify only by text and voice call. To avoid locking out these users from their accounts:

  • Before enforcement takes effect, tell users to start using another 2-Step Verification method. Also inform them that 2-Step Verification verification codes won't be available on their phones after the enforcement date.
  • Use the login_verification Login Audit activity event to track users who sign in using 2-Step Verification verification codes they receive by text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticated with a text or voice verification code.

Only security key

Before enforcing security keys, review Account reports to find users who set up security keys (report data could be delayed up to 48 hours). To view real-time 2-Step Verification status for each user, go to Manage a user’s security settings.

You can also allow security codes to let users get their work done in situations where security keys aren’t supported. Because security codes aren’t as strong as security keys for 2-Step Verification, you should limit security codes to users who must use browsers, devices, or apps which don’t support security keys. 

Security codes are different from one-time codes that apps like Google Authenticator generate. To generate a security code, a user uses a device where they can use their security key. A user taps the security key to generate a security code. The security codes are valid for 5 minutes.

An example scenario: Priya uses a financial app that only runs on an older browser and doesn't support security keys. 

  1. Priya opens the older browser and tries to sign in to the finance app.
  2. She follows the prompts to get a one-time code security code on a device where she can use her security key.
  3. Priya opens Chrome on her laptop, and signs in to her Google Account. She might be prompted for her security key if she hasn’t signed in to her Google Account on this browser before.
  4. She navigates to https://g.co/sc.
  5. Priya taps the security key on her laptop to generate a security code. She copies the security code and uses it to complete the browser app sign-in.

Adding security keys for a user: If the user isn’t enrolled in 2-Step Verification, they’re automatically enrolled when you enroll a security key for them. Learn more about managing a user's security settings.

Turn on enforcement

Select an enforcement method and setting.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand then2-Step Verification.

  3. On the right, select an organizational unit or exception group.
  4. Click Allow users to turn on 2-Step Verification.
  5. Under Enforcement, choose when to start enforcing 2-Step Verification.
    • On—Starts immediately.
    • Turn on enforcement from date—Select the start date. Users see reminders to enroll in 2-Step Verification when they sign in.
  6. Set a New user enrollment period.

    Gives your new employees time enroll before enforcement applies to their accounts. During this period, users can sign in with just their passwords.

    Select a length from 1 day to 6 months. This is how long new users have after their first successful sign-in to enroll in 2-Step Verification.
  7. In the Frequency setting, click Allow user to trust the device (optional).

    Lets users avoid repeated 2-Step Verification on trusted devices. The first time a user signs in from a new device, they can check a box to trust their device. Then the user isn't prompted for 2-Step Verification on the device unless the user clears their cookies or revokes the device, or you reset the user's sign-in cookie.

     Avoiding 2-Step Verification on trusted devices isn't recommended unless your users frequently move between devices. If you don't allow trusted devices, users must use 2-Step Verification every time they sign in. 

Options for security keys 

Add a backup verification method in case users don't have access to their security key, or need to sign in to an app that doesn't support security keys. 

  1. Set the 2-Step Verification policy suspension grace period.

    Let users sign in with a backup verification code that you generate for the user (useful when a user loses their security key). Select the length of this grace period, which starts when you generate the verification code. Learn more

  2.  In Security codes, choose whether users can sign in with a security code. 
    • Don't allow users to generate security codes—Users can’t generate security codes. (Default option if you signed up for G Suite before November 20, 2019.)
    • Allow security codes without remote access—Users can generate security codes and use them on the same device or local network (NAT or LAN). (Default option if you signed up for G Suite on or after November 20, 2019.)
    • Allow security codes with remote access—Users can generate security codes and use them on other devices or networks, such as when accessing a remote server or a virtual machine.
Was this helpful?
How can we improve it?