Set up 2-Step Verification

Deploy 2-Step Verification

You and your users play important roles in setting up 2-Step Verification (2SV). 

Step 1: Notify users of 2-Step Verification deployment (required)

Before deploying 2SV, communicate your company’s plans to your users, including:

  • Describe 2SV and why your company is using it.
  • Indicate whether 2SV is optional or required.
  • If required, provide the date by which users must turn on 2SV.
  • Indicate which 2SV method is required or recommended.

Step 2: Set up basic 2-Step Verification (required)

You select a setting in the Google Admin console that allows users to turn on 2SV. This setting applies to your entire top-level organization, which might consist of multiple domains.

In top-level organizations that were created after December, 2016, the 2SV Admin console setting is on by default. In accounts that are created in newer top-level organizations, the 2SV setting is also on by default. When 2SV is on, users can set up a 2SV method.

Allow users in your top-level organization to turn on 2-Step Verification

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Under Two-step verification, check Allow users to turn on 2-step verification.
    Any user in your top-level organization can turn on 2SV and set up any 2SV method.
  4. On the bottom right, click Save.

Tell your users to enroll in 2-Step Verification

  1. Tell your users to enroll in 2SV by following the instructions in Turn on 2-Step Verification.
  2. Provide instructions for enrolling in 2SV methods:

Step 3: Enforce 2-Step Verification (optional)


Enforcing 2SV makes it required for your users. Users who aren’t enrolled in 2SV can’t sign in to their accounts.

Select advanced 2-Step Verification settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Under Two-step verification, verify that Allow users to turn on 2-step verification is checked. If not, check it and click Save.
  4. Click Go to advanced settings to enforce 2-step verification.

Verify user enrollment in 2-Step Verification

Make sure your users are enrolled in 2SV before turning on enforcement. Users who aren’t enrolled won’t be able to sign in to their accounts.
  1. From the Advanced security settings page, under Enforcement and to the right, click enrollment report.
  2. Review the report to see which users aren’t enrolled.
    This data could be delayed up to 48 hours. To view real-time 2SV status for each user, see Manage a user’s security settings.
  3. Inform users who aren’t enrolled that they need to enroll or risk being locked out of their accounts.

Turn on enforcement

Enforce 2SV for admins and key users. See Best practices for 2-Step Verification.

The setting in the Admin console that allows your users to turn on 2SV applies to your entire top-level organization. However, you can choose to enforce 2SV for users in your entire top-level organization or only for users in specific organizational units.

  1. From the Advanced security settings page, on the left, select an organizational unit where you want to enforce 2SV.
    • If you don’t select an organizational unit, your enforcement settings apply to your entire top-level organization.
    • If you want an organizational unit to use the same settings as its parent organization, click Use Inherited on the top right.
  2. Select an enforcement option:
    • Turn on enforcement from date—Starts on a date you specify.
    • Turn on enforcement now—Starts immediately.
  3. If you selected to enforce 2SV at a specific date, click the start date on the calendar. Users see reminders to enroll in 2SV when they sign in.
  4. Click Save.

Protect new users from being locked out of their accounts

When you enforce 2SV, give new employees time to enroll before enforcement is applied to their accounts. You can do this by defining a new user enrollment period. During this period, users can sign in with just their passwords.
  1. From the Advanced security settings page, next to New user enrollment period, select a time period from 1 day to 6 months.
    This is how long new users have after their first successful sign-in to enroll in 2SV.
  2. Click Save.

Select a 2-Step Verification method to enforce 

Consider using security keys, which are the most secure 2SV method. See Best practices for 2-Step Verification.

  1. From the Advanced security settings page, under Allowed 2-step verification methods, select a method:
    • Any—Users can set up any 2SV method.
    • Only Security Key—Users must set up a security key.
  2. If you selected Only Security Key, review user security settings to make sure that your users have set up their security keys.
  3. Generate a list of users by clicking users have registered security keys.
  4. Click on a user in the list to see their settings.
  5. Click Save.

Allow backup codes when users lose security keys

If you enforce security keys as the only accepted 2SV method and a user loses their security key, they need a way to sign in while they get a new key. You can allow users to use backup codes for a specified grace period.
  1. From the Advanced security settings page, next to 2-step verification policy suspension grace period, select a time period from 1 day to 1 week.
    The grace period starts when you generate the backup codes.
  2. Click Save.

Let users avoid repeated 2-Step Verification on trusted devices

  1. From the Advanced security settings page, under 2-step verification frequency, select an option:
    • Allow the user to trust the device at 2-step verification—The first time a user signs in from a new device, they can check a box to trust their device and skip 2SV on that device again. This is recommended unless your users frequently move between devices.
    • Do not allow the user to trust the device at 2-step verification—Users must use 2SV every time they sign in.
  2. Click Save.

Step 4: Manage security keys (optional)

Add a security key for a user

You can add a security key to a user account. If the user isn’t enrolled in 2SV, they’re automatically enrolled when you enroll a security key for them. See Manage a user's security settings

 

Was this article helpful?
How can we improve it?