You and your users play important roles in setting up 2-Step Verification (2SV). Your users can choose their 2SV method, or you can enforce a method for certain users or groups in your organization. For example, you can require a small team in Sales to use security keys.
Step 1: Notify users of 2-Step Verification deployment
Before deploying 2SV, communicate your company’s plans to your users, including:
- What 2SV is and why your company is using it.
- Whether 2SV is optional or required.
- If required, give the date by which users must turn on 2SV.
- Which 2SV method is required or recommended.
Step 2: Allow users to turn on 2-Step Verification
User accounts created before December 2016 have 2SV on by default.
Let users turn on 2SV and use any verification method.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAuthentication2-step verification.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
- Check the Allow users to turn on 2-Step Verification box.
- Select EnforcementOff.
- Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.
Step 3: Tell your users to enroll in 2-Step Verification
- Tell your users to enroll in 2SV by following the instructions in Turn on 2-Step Verification.
- Provide instructions for enrolling in 2SV methods:
Step 4: Track users' enrollment
Use reports to measure and track your users' enrollment in 2SV. Check users' enrollment status, enforcement status, and number of security keys.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu ReportingReportsUser ReportsSecurity.
- (Optional) To add a new column of information, click Settings Add new column. Select the column to add to the table and click Save.
For more information, go to Manage a user's security settings.
View enrollment trends
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to ReportsApps ReportsAccounts.
Identify organizational units and groups that aren't using 2-Step Verification
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecuritySecurity center Security health.
-
Search Security Health for Two-step verification for admins or Two-step verification for users to review 2SV information.
Step 5: Enforce 2-Step Verification (Optional)
Before you begin: Make sure users are enrolled in 2SV.
Important: When 2SV is enforced, users who have not completed the 2SV enrollment process, but have added 2-Factor Authentication (2FA) information to their account, such as a security key or phone number, will be able to sign in using this information. If you see a sign in from an unenrolled user who belongs to an organizational unit where 2SV has been enforced, that is a 2SV sign-in.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAuthentication2-step verification.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
- Click Allow users to turn on 2-Step Verification.
- For Enforcement, choose an option:
- On—Starts immediately.
- Turn on enforcement from date—Select the start date. Users see reminders to enroll in 2SV when they sign in.
Note: When using the On from date option, enforcement will start within 24-48 hours of the chosen date. If you want a precise enforcement start time, use the On option.
- (Optional) To give new employees time to enroll before enforcement applies to their accounts, for New user enrollment period, select a timeframe from 1 day to 6 months.
During this period, users can sign in with just their passwords. - (Optional) To let users avoid repeated 2SV checks on trusted devices, under Frequency, check the Allow user to trust the device box.
The first time a user signs in from a new device, they can check a box to trust their device. Then the user isn't prompted for 2SV on the device unless the user clears their cookies or revokes the device or you reset the user's sign-in cookie.
Avoiding 2SV on trusted devices isn't recommended unless your users frequently move between devices. - For Methods, select the enforcement method:
- Any—Users can set up any 2SV method.
- Any except verification codes via text, phone call—Users can set up any 2SV method except using their phones to receive 2SV verification codes.
Important: Users who use texts and phone calls to verify will be locked out of their accounts. To avoid locking out these users from their accounts:- Before enforcement, tell users to start using another 2SV method since 2SV codes won't be available on their phones after the enforcement date.
- You can use the login_verification Login Audit activity event to track users who use codes from a text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticates with a text or voice verification code.
- Only security key—Users must set up a security key.
Before selecting this enforcement method, find users who already set up security keys (report data could be delayed up to 48 hours). To view real-time 2SV status for each user, go to Manage a user’s security settings.
- If you select Only security key, set the 2-Step Verification policy suspension grace period.
This period lets users sign in with a backup verification code that you generate for the user, which is useful when a user loses their security key. Select the length of this grace period, which starts when you generate the verification code. For information on backup codes, go to Get backup verification codes for a user. - For Security codes, choose whether users can sign in with a security code.
- Don't allow users to generate security codes—Users can’t generate security codes.
- Allow security codes without remote access—Users can generate security codes and use them on the same device or local network (NAT or LAN).
- Allow security codes with remote access—Users can generate security codes and use them on other devices or networks, such as when accessing a remote server or a virtual machine.
Security codes are different from one-time codes that apps like Google Authenticator generate. To generate a security code, a user taps the security key on their device to generate a security code. The security codes are valid for 5 minutes.
- Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.
If users don't comply by the enforcement date
You can give users extra time to enroll by adding them to a group where 2SV isn’t enforced. While this workaround allows users to sign in, it’s not recommended as a standard practice. Learn how to avoid account lockouts when 2-Step Verification is enforced.