These articles are for Google Workspace administrators. Google Workspace users should go to Turn on 2-Step Verification.
You can use 2-Step Verification (2SV) to put an extra barrier between your business and cybercriminals who try to steal usernames and passwords to access business data.
Important: 2SV enforcement for admin accounts
To better protect your organization’s information, Google will soon require all administrator accounts to have 2SV enabled. Enforcement is now being implemented for some organizations with an Enterprise edition. In 2024, enforcement will gradually extend to all organizations with an Enterprise edition. You should enable 2SV for the admin accounts in your organization before Google enforces it. Be aware that:
- Enforcement is rolling out over the next year. Super administrators will get a notification 60 days before enforcement.
- Admins will be notified 30 days before the enforcement starts via email and mobile phone. During these 30 days, the Google-set 2SV enforcement policy will override any 2SV policies set by an organization.
- During the notification period, when an admin signs in to their account, they’re reminded to enable 2SV by the mandatory date. If they fail to do so after 7 days, they will continue to see a reminder in the Admin console until they enable it.
- Admins with Google Workspace editions where the 2SV enforcement policy is in place are unable to avoid it. If an admin is unable to enable 2SV, removing the user's admin rights is the only way to avoid being subject to enforcement rules.
- Service Accounts are not required to have 2SV enabled, but the Admin account they are impersonating must be enrolled in 2SV.
- You can review an admin's enforcement status in the Google Admin console. For the steps, go to Track users’ enrollment and add the 2-Step verification enforcement column.
- New admins will have 30 days to enroll in 2SV before enforcement begins.
- If an admin can't sign in after 2SV enforcement, follow the steps to recover an administrator account.
What is 2SV?
With 2SV, your users sign in to their account in two steps with something they know (their password) and something they have (their phone or a Security Key). Learn how it works.
Secure your Google Workspace user accounts
Do small businesses need 2SV?
Cybercriminals target businesses of all sizes. If a hacker gets into your administrator account, they can see your email, documents, spreadsheets, financial records, and more.
A hacker could steal or guess a password, but they can’t reproduce something only you have.
2SV methods
When you set up 2SV, you choose the second verification step for your users.
- A hardware security key or a Titan Security Key
- Your phone's built-in security key (available on phones running Android 7+ or iOS 10+)
When a user signs in to their Google Account, their device detects that the account has a security key. For the second verification step, the user signs in with their security key. Users connect their security key to their device by USB, Bluetooth, or NFC (Near Field Communication), depending on the type of key. Learn more about security keys.
Note: 2SV using local phone numbers is not currently supported for some domains in Nigeria and Ivory Coast, due to large volumes of account abuse in those countries. For information on whether your domain is eligible, please contact Support.
Best practices for 2SV
- The administrator account is the most powerful account because it can delete users, reset passwords, and access all your data.
- Users who work with sensitive data such as financial records and employee information should also use 2SV.
- 2SV is the first line of defense that can cut account takeover by as much as 50%.
- Security keys—The strongest 2SV method, and they don’t require users to enter codes. You can buy compatible security keys from a retailer you trust, or Titan Security Keys from the Google Store. Or your users can use their phone's built-in security key (available on phones running Android 7+ or iOS 10+).
- Alternatives to security keys—If you decide not to use security keys, Google prompt or the Google Authenticator app are good alternatives. Google prompt provides a better user experience because users simply tap their device when prompted instead of entering a verification code.
- Text messages are discouraged—They rely on external carrier networks and might be intercepted.