- An administrator or user loses their security key.
- A user loses their phone and can't generate 2-Step Verification codes.
- A user doesn’t enroll in 2-Step Verification by the end of the new user enrollment period.
- A newly-created user can't sign in to their account to set up 2-Step verification.
Prepare for account recovery
- Administrators should have a spare security key—Administrators should enroll more than one security key for their administrator account and store it in a safe place.
- Save backup codes ahead of time—Administrators and users should generate and print backup codes in case they’re needed in the future. Keep backup codes in a secure location.
- Generate codes for a user—If a locked-out user doesn't have backup codes, you can generate codes for them. See the instructions in User account on this page.
- Set up an additional administrator—If an administrator can’t sign in to their administrator account, another administrator can generate backup codes for them.
- If security keys are required, set up a grace period—When you set up enforcement for 2-Step Verification, set up a grace period. Users can enter a backup code for 2-Step Verification during the grace period. For details, go to Deploy 2-Step Verification.
Use backup codes for account recovery
If you need to recover an account, use backup codes. Accounts are still protected by 2-Step Verification, and backup codes are easy to generate. If you move users into a configuration group or change their organizational unit and 2-Step Verification isn’t required, their accounts are no longer protected by 2-Step Verification. For more details, go to Avoid account lockouts when 2-Step Verification is enforced.
Recover an account
- In the Admin console, go to Menu DirectoryUsers.
- Click the user you want in the list.
You see summary information about that user. If you need help, see Find a user account.
- Click Security.
- Click 2-step verification.
Note: You can only access 2-step verification settings for a user if 2-step verification is currently enforced for your organization.
- Click Get Backup Verification Codes.
- Copy one of the verification codes.
- Send the backup code to the user in an IM or text message.
The user can sign in to their account using a password and the backup code.
- Ask another admin at your company to generate backup codes, as described above in recovering a user account.
- If another administrator isn’t available, follow the instructions to reset your administrator password.
About using a secondary username for account recovery
In some cases, you can use a secondary username to recover your account. This practice is discouraged because it’s not secure. If the secondary username isn’t covered by 2-Step Verification, it can be compromised—and so can your administrator account.
If your company has 3 or more super administrators or more than 500 users, you can’t use a secondary username for account recovery (it’s disabled).