Set up 2-Step Verification

Recover an account protected by 2-Step Verification

If 2-Step Verification is enforced at your company, administrators or users won’t be able to sign in to their accounts if they lose access to their method, or haven't set up 2-Step verification. For example:
  • An administrator or user loses their security key.
  • A user loses their phone and can't generate 2-Step Verification codes.
  • A user doesn’t enroll in 2-Step Verification by the end of the new user enrollment period.
  • A newly-created user can't sign in to their account to set up 2-Step verification.

Prepare for account recovery

  • Administrators should have a spare security key—Administrators should enroll more than one security key for their administrator account and store it in a safe place.
  • Save backup codes ahead of time—Administrators and users should generate and print backup codes in case they’re needed in the future. Keep backup codes in a secure location.
  • Generate codes for a user—If a locked-out user doesn't have backup codes, you can generate codes for them. See the instructions in User account on this page.
  • Set up an additional administrator—If an administrator can’t sign in to their administrator account, another administrator can generate backup codes for them.
  • If security keys are required, set up a grace period—When you set up 2SV enforcement, define a 2-step verification policy suspension grace period. Users can enter a backup code for 2SV during the grace period.

Use backup codes for account recovery

If you need to recover an account, use backup codes. Accounts are still protected by 2SV, and backup codes are easy to generate. Accounts might not be protected by 2SV if you move users into exception groups where 2SV isn’t required.

You would use a 2SV exception group when you’re changing your organizational structure and need to move a lot of users from one organization to another. See Move users between organizations when 2-Step Verification is enforced.

Recover an account

User account
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Users.
  3. Click the user you want in the list.  
    You see summary information about that user. If you need help, see Find a user account.
  4. Click Security.
  5. Click 2-step verification.

    Note: You can only access 2-step verification settings for a user if 2-step verification is currently enforced for your organization.

  6. Click Get Backup Verification Codes.
  7. Copy one of the verification codes.
  8. Click Done.
  9. Send the backup code to the user in an IM or text message.
    The user can sign in to their account using a password and the backup code.

Administrator account

  1. Ask another admin at your company to generate backup codes, as described above in recovering a user account.
  2. If another administrator isn’t available, follow the instructions to reset your administrator password.

About using a secondary username for account recovery

In some cases, you can use a secondary username to recover your account. This practice is discouraged because it’s not secure. If the secondary username isn’t covered by 2SV, it can be compromised—and so can your administrator account.

If your company has 3 or more super administrators or more than 500 users, you can’t use a secondary username for account recovery (it’s disabled).

 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false