Set up 2-Step Verification

Deploy 2-Step Verification

You and your users play important roles in setting up 2-Step Verification (2SV). 

Step 1: Notify users of 2-Step Verification deployment (required)

Before deploying 2SV, communicate your company’s plans to your users, including:

  • Describe 2SV and why your company is using it.
  • Indicate whether 2SV is optional or required.
  • If required, provide the date by which users must turn on 2SV.
  • Indicate which 2SV method is required or recommended.

Step 2: Set up basic 2-Step Verification (required)

You select a setting in the Google Admin console that allows users to turn on 2SV. This setting applies to your entire top-level organization, which might consist of multiple domains.

In top-level organizations that were created after December, 2016, the 2SV Admin console setting is on by default. In accounts that are created in newer top-level organizations, the 2SV setting is also on by default. When 2SV is on, users can set up a 2SV method.

Allow users in your top-level organization to turn on 2-Step Verification

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Under Two-step verification, check Allow users to turn on 2-step verification.
    Any user in your top-level organization can turn on 2SV and set up any 2SV method.
  4. On the bottom right, click Save.

Tell your users to enroll in 2-Step Verification

  1. Tell your users to enroll in 2SV by following the instructions in Turn on 2-Step Verification.
  2. Provide instructions for enrolling in 2SV methods:

Step 3: Enforce 2-Step Verification (optional)


Enforcing 2SV makes it required for your users. Users who aren’t enrolled in 2SV can’t sign in to their accounts.

Select advanced 2-Step Verification settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Under Two-step verification, verify that Allow users to turn on 2-step verification is checked. If not, check it and click Save.
  4. Click Go to advanced settings to enforce 2-step verification.

Verify user enrollment in 2-Step Verification

Make sure your users are enrolled in 2SV before turning on enforcement. Users who aren’t enrolled won’t be able to sign in to their accounts.
  1. From the Advanced security settings page, under Enforcement and to the right, click enrollment report.
  2. Review the report to see which users aren’t enrolled.
    This data could be delayed up to 48 hours. To view real-time 2SV status for each user, see Manage a user’s security settings.
  3. Inform users who aren’t enrolled that they need to enroll or risk being locked out of their accounts.

Turn on enforcement

Enforce 2SV for admins and key users. See Best practices for 2-Step Verification.

The setting in the Admin console that allows your users to turn on 2SV applies to your entire top-level organization. However, you can choose to enforce 2SV for users in your entire top-level organization or only for users in specific organizational units.

  1. From the Advanced security settings page, on the left, select an organizational unit where you want to enforce 2SV.
    • If you don’t select an organizational unit, your enforcement settings apply to your entire top-level organization.
    • If you want an organizational unit to use the same settings as its parent organization, click Use Inherited on the top right.
  2. Select when to start enforcing 2SV:
    • Turn on enforcement from date—Starts on a date you specify.
    • Turn on enforcement now—Starts immediately.
  3. If you selected to enforce 2SV at a specific date, click the start date on the calendar. Users see reminders to enroll in 2SV when they sign in.
  4. Click Save.

Protect new users from being locked out of their accounts

When you enforce 2SV, give new employees time to enroll before enforcement is applied to their accounts. You can do this by defining a new user enrollment period. During this period, users can sign in with just their passwords.
  1. From the Advanced security settings page, next to New user enrollment period, select a time period from 1 day to 6 months.
    This is how long new users have after their first successful sign-in to enroll in 2SV.
  2. Click Save.

Step 4: Select enforcement options (optional)

Select a 2-Step Verification method to enforce 

When you enforce 2SV, the enforcement method defaults to “Any.” Consider using security keys, which are the most secure 2SV method. See Best practices for 2-Step Verification.

  1. From the Advanced security settings page, under Allowed 2-step verification methods, select a method:
    • Any—Users can set up any 2SV method.
    • Any except verification codes via text, phone call—Users can set up any 2SV method except using their phones to receive 2SV verification codes.
    • Only Security Key—Users must set up a security key.
  2. Click Save.
Ensure a smooth transition to an enforcement policy 

When you enforce 2SV, existing users without compatible 2SV methods will be locked out of their accounts when their active sessions expire. You’ll have to help them recover their accounts so they can sign in. Sample scenarios:

  • ​You’re changing from a policy of 2SV being optional to enforcing 2SV.
  • ​​You enforce 2SV but allow users to choose any method. You're changing to allow any method except using phones to receive 2SV verification codes via text message or voice call.
  • ​​You’re changing from a policy of 2SV being optional, allowing any method, or allowing any method except text or voice call—to requiring security keys as the only 2SV method.

Communicate your plans to enforce 2SV

Communicate your plans and enforcement date before setting an enforcement policy. Give users time to add a 2SV method. For new employees, set up a new user enrollment period as described in “Protect new users from being locked out of their accounts.”

If users don't comply by the enforcement date

You might have users who haven’t set up an appropriate 2SV method by your enforcement date. You can give these users extra time to enroll by putting these users into an exception group where 2SV isn’t enforced until they can add a 2SV method. See Avoid account lockouts when 2-Step Verification is enforced.

While this workaround allows your users to sign in, it’s not recommended as a standard practice because those user accounts aren’t protected by 2SV while they're in the exception group.

Enforcing "Any except verification codes via text, phone call"

If users can currently use any 2SV method, you probably have users who have text and voice call as their only 2SV method. Users won’t be able to sign in using a phone number they used in the past to receive 2SV verification codes via text or voice call. They won’t be able to add any new phone numbers.

Avoid locking out these users from their accounts:

  • Before setting this policy, tell your users to add and start using another 2SV method. Also inform them that they won’t be able to get 2SV verification codes on their phones after a specified enforcement date.
  • Use the login_verification Login Audit activity event to track users who sign in using 2SV verification codes they receive via text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticated using a text or voice verification code.

Enforcing "Only Security Key"

Before enforcing this policy, review user security settings to make sure that your users have set up their security keys:

  • ​Under Only security key, click users have registered security keys to generate a list of users.
  • ​Click on a user in the list to see their settings.

Allow backup codes when users lose security keys

If you enforce security keys as the only accepted 2SV method and a user loses their security key, they need a way to sign in while they get a new key. You can allow users to use backup codes for a specified grace period.
  1. From the Advanced security settings page, next to 2-step verification policy suspension grace period, select a time period from 1 day to 1 week.
    The grace period starts when you generate the backup codes.
  2. Click Save.
Allow security codes when security keys aren't supported 
If you enforce security keys, some of your users might have trouble using some apps. Users can’t use their Google credentials to sign in to web apps that run on platforms that don’t support security keys. These platforms include mobile iOS, Safari, and Internet Explorer. Here are some examples:
  • A corporate web app runs only on a browser that doesn’t support security keys
    Priya works in Finance, and she uses a financial web app that only runs on Internet Explorer 8.0. Because security keys are enforced, she can’t sign in to the web app using her Google Account.
  • Initial iPhone setup
    Nigel is in Sales and has a new iPhone. To set up the iPhone, he needs to sign in to his Google Account on the iPhone.  But because Safari and mobile iOS don’t support security keys, he can’t sign in and can’t set up the iPhone.

Enable security codes

When a platform doesn’t support security keys, you can allow users to sign in and authenticate with a special, one-time security code. Users can generate this code only on a device that supports security keys.

  1. From the Advanced security settings page, under Allowed 2-step verification methods, Only Security Key, select Users may utilize a security code from https://g.co/sc instead of security keys as 2SV.
  2. Click Save.

How security codes work

Security codes are different from one-time codes that apps like Google Authenticator generate. To generate a security code, a user needs a device where they can use their security key. A user touches the security key to generate a security code.

When to allow security codes

When you enforce security keys, allowing security codes lets users get their work done when security keys aren’t supported. However, because security codes aren’t as strong as security keys for 2SV, you should allow security codes only for users who need to work on platforms or apps that don’t support security keys.

User experience

Here’s how Priya in Finance can use the financial web app that runs on Internet Explorer 8.0.

  1. Priya signs in to her laptop using her Google credentials.
  2. To authenticate her identity, she inserts a security key into a USB port on the laptop or taps a security key that’s already inserted.
  3. Priya launches Internet Explorer 8.0 and tries to sign in to the finance app.
  4. She follows the prompts to get a one-time code security code on a device where she can use her security key.
  5. Priya launches Chrome on her laptop and navigates to https://g.co/sc.
  6. She taps her security key and generates a security code.
  7. She copies the security code and uses it to complete the Internet Explorer web app sign in.

Currently only Chrome and Firefox support security keys. One-time security codes are valid for 5 minutes.

Let users avoid repeated 2-Step Verification on trusted devices

Allowing users to avoid 2SV on trusted devices isn't recommended unless your users fequently move between devices.

  1. From the Advanced security settings page, under 2-step verification frequency, select an option:
    • Allow the user to trust the device at 2-step verification—The first time a user signs in from a new device, they can check a box to trust their device and skip 2SV on that device. The user isn't asked again for 2SV on that device unless the user clears their cookies, you reset the user's sign-in cookies, or the user revokes the device in their account.
    • Do not allow the user to trust the device at 2-step verification—Users must use 2SV every time they sign in.
  2. Click Save.

Step 5: Manage security keys (optional)

Add a security key for a user

You can add a security key to a user account. If the user isn’t enrolled in 2SV, they’re automatically enrolled when you enroll a security key for them. See Manage a user's security settings

 

Was this helpful?
How can we improve it?