Set up 2-Step Verification

Deploy 2-Step Verification

You and your users play important roles in setting up 2-Step Verification. Your users can choose their 2-Step Verification method, or you can enforce a method for certain users or groups in your organization. For example, you can require a small team in Sales to use security keys.

Step 1: Notify users of 2-Step Verification deployment

Before deploying 2-Step Verification, communicate your company’s plans to your users, including:

  • What 2-Step Verification is and why your company is using it.
  • Whether 2-Step Verification is optional or required.
  • If required, give the date by which users must turn on 2-Step Verification.
  • Which 2-Step Verification method is required or recommended.

Step 2: Allow users to turn on 2-Step Verification

User accounts created before December 2016 have 2-Step Verification on by default

Let users turn on 2-Step Verification and use any verification method.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAuthenticationand then2-step verification.

  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
  4. Check the Allow users to turn on 2-Step Verification box.
  5. Select Enforcementand thenOff.
  6. Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.

Step 3: Tell your users to enroll in 2-Step Verification

  1. Tell your users to enroll in 2-Step Verification by following the instructions in Turn on 2-Step Verification.
  2. Provide instructions for enrolling in 2-Step Verification methods:

Step 4: Track users' enrollment

Use reports to measure and track your users' enrollment in 2-Step Verification. Check users enrollment status, enforcement status, and number of security keys.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Reportingand thenReportsand thenUser Reportsand thenSecurity.
  3. (Optional) To add a new column of information, click Settings"" and thenAdd new column. Select the column to add to the table and click Save.

For more information, go to Manage a user's security settings.

View enrollment trends

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reportsand thenApps Reportsand thenAccounts.

Identify organizational units and groups that aren't using 2-Step Verification

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2.  In the Admin console, go to Menu ""and then"" Securityand thenSecurity center  and thenSecurity health.
  3. Search Security Health for Two-step verification for admins or Two-step verification for users to review 2-Step Verification information.

Step 5: Enforce 2-Step Verification (Optional)

Before you begin: Make sure users are enrolled in 2-Step Verification. If you turn on enforcement, users who aren’t enrolled can't sign in to their accounts.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAuthenticationand then2-step verification.

  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
  4. Click Allow users to turn on 2-Step Verification.
  5. For Enforcement, choose an option:
    • On—Starts immediately.
    • Turn on enforcement from date—Select the start date. Users see reminders to enroll in 2-Step Verification when they sign in.
      Note: When using the On from date option, enforcement will start within 24-48 hours of the chosen date. If you want a precise enforcement start time, use the On option.
  6. (Optional) To give new employees time to enroll before enforcement applies to their accounts, for New user enrollment period, select a timeframe from 1 day to 6 months.
    During this period, users can sign in with just their passwords.
  7. (Optional) To let users avoid repeated 2-Step Verification checks on trusted devices, under Frequency, check the Allow user to trust the device box.
    The first time a user signs in from a new device, they can check a box to trust their device. Then the user isn't prompted for 2-Step Verification on the device unless the user clears their cookies or revokes the device or you reset the user's sign-in cookie.
    Avoiding 2-Step Verification on trusted devices isn't recommended unless your users frequently move between devices.
  8. For Methods, select the enforcement method: 
    • Any—Users can set up any 2-Step Verification method.
    • Any except verification codes via text, phone call—Users can set up any 2-Step Verification method except using their phones to receive 2-Step Verification verification codes.
      Important: Users who use texts and phone calls to verify will be locked out of their accounts. To avoid locking out these users from their accounts:
      • Before enforcement, tell users to start using another 2-Step Verification method since 2-Step Verification codes won't be available on their phones after the enforcement date.
      • You can use the login_verification Login Audit activity event to track users who use codes from a text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticates with a text or voice verification code.
    • Only security key—Users must set up a security key.
      Before selecting this enforcement method, find users who already set up security keys (report data could be delayed up to 48 hours). To view real-time 2-Step Verification status for each user, go to Manage a user’s security settings.
  9. If you select Only security key, set the 2-Step Verification policy suspension grace period.
    This period lets users sign in with a backup verification code that you generate for the user, which is useful when a user loses their security key. Select the length of this grace period, which starts when you generate the verification code. For information on backup codes, go to Get backup verification codes for a user.
  10.  For Security codes, choose whether users can sign in with a security code.
    • Don't allow users to generate security codes—Users can’t generate security codes. 
    • Allow security codes without remote access—Users can generate security codes and use them on the same device or local network (NAT or LAN). 
    • Allow security codes with remote access—Users can generate security codes and use them on other devices or networks, such as when accessing a remote server or a virtual machine. 
      Security codes are different from one-time codes that apps like Google Authenticator generate. To generate a security code, a user taps the security key on their device to generate a security code. The security codes are valid for 5 minutes.
  11. Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.

If users don't comply by the enforcement date

You can give users extra time to enroll by adding them to a group where 2-Step Verification isn’t enforced. While this workaround allows users to sign in, it’s not recommended as a standard practice. Learn how to avoid account lockouts when 2-Step Verification is enforced.

Related topics

Was this helpful?
How can we improve it?
true
Search
Clear search
Close search
Google apps
Main menu
false
Search Help Center
true
true
true
false
false