Force users to sign in using 2-Step or Multi-Factor Authentication

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome enterprise admin, you can implement 2-Step Verification (2-SV) or Multi-Factor Authentication (MFA) in your organization and force users to regularly sign in to their ChromeOS devices.

This means that your users must regularly sign in to their account in two or more steps and provides additional security for your organization.

What are authentication factors

An authentication factor is a piece of information and process used to authenticate a user's identity for security purposes.

Authentication factors can be classified into three groups:

something you know, such as a password or personal identification number (PIN)
something you have, such as a security key or a smartphone
something you are, biometrics, such as fingerprints and face recognition

When a user is signing in using 2-SV or MFA, they must provide all the required authentication methods or they will not be given access.

The following are examples of authentication;

2-SV when a user adds an account to a ChromeOS device
2-SV when a user signs into their user account
2-SV when a user unlocks a ChromeOS device
passwordless authentication when a users uses a fingerprint or PIN to unlock the lock screen on their ChromeOS device

For details on why and when you should use 2-SV or MFA in your organization, see Protect your business with 2-Step Verification.

Before you begin

If you have an existing Chrome deployment, notify users in advance. Tell them that they need to sign in to their managed Google Account on a specific date.

Step 1: Select the policies

For users signing into their ChromeOS device without SAML single sign-on (SSO), you can use the following policies:

For users signing into their ChromeOS device with SAML single sign-on (SSO), you can use the following policies:

Step 2: Review the policies

You can set one or more of the following policies:

Policy	Description and settings
GaiaOfflineSigninTimeLimitDays	Sets the frequency of forced online sign-ins on the login screen for users signing into their ChromeOS device without SAML single sign-on (SSO). Enter a value, in days: 0—Users are always required to use online sign-in. 1-365—After the set frequency period, users are required to use online sign-in the next time they start a session. Left empty, users are not required to regularly use online sign-in.
GaiaLockScreenOfflineSigninTimeLimitDays	Sets the frequency of forced online sign-in on the lock screen for users signing into their ChromeOS device without SAML single sign-on (SSO). Enter a value, in days: 0—Users are always required to use online sign-in on their lock screen. 1-365—After the set frequency period, users are required to use online sign-in the next time they unlock their lock screen. Left empty, users are not required to regularly use online sign-in to unlock their lock screen.
SAMLOfflineSigninTimeLimit	Sets the frequency of forced online sign-in flows for SAML-based single sign-on (SSO) accounts on the login screen. Choose a sign-on frequency option. If you select Never, users are never required to use online sign-in.
SamlLockScreenOfflineSigninTimeLimitDays	Sets the frequency of forced online sign-in for users with SAML on their lock screen. Enter a value, in days: 0—Users are always required to use online sign-in on their lock screen. 1-365—After the set frequency period, users are required to use online sign-in the next time they unlock their lock screen. Left empty, users are not required to regularly use online sign-in to unlock their lock screen.

Step 3: Set the policies

Click below for steps, based on how you want to manage these policies.

Can apply for signed-in users on any device. For details, see Understand when settings apply.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Browser Cloud Management, go to Menu Chrome browserSettings.
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to Security.
For users without SAML SSO, do the following:
1. Click Google online login frequency, enter a value in days, and click Save:
  - 0—Users are always required to use online sign-in.
  - 1-365—After the set frequency period, users are required to use online sign-in the next time they start a session.
2. Click Google online unlock frequency, enter a value in days, and click Save:
  - 0—Users are always required to use online sign-in on their lock screen.
  - 1-365—After the set frequency period, users are required to use online sign-in the next time they unlock their lock screen.
For users with SAML SSO, do the following:
1. Click SAML single sign-on login frequency, set a frequency period for forced online sign-in, and click Save.
2. Click SAML single sign-on unlock frequency, enter a value in days, and click Save:
  - 0—Users are always required to use online sign-in on their lock screen.
  - 1-365—After the set frequency period, users are required to use online sign-in the next time they unlock their lock screen.

Step 4: Verify policies have been applied

After you apply any Chrome policies, users need to restart Chrome Browser for the setting to take effect. You can check users’ devices to make sure the policy was applied correctly.

On a managed Chrome device, browse to chrome://policy.
Click Reload policies.
Check the Show policies with no value set box.
As applicable, for GaiaOfflineSigninTimeLimitDays, GaiaLockScreenOfflineSigninTimeLimitDays, SAMLOfflineSigninTimeLimit, and SamlLockScreenOfflineSigninTimeLimitDays make sure Status is set to OK.
For all policies, click Show value and make sure that the value fields are the same as what you set in the policy.

Was this helpful?

How can we improve it?