Monitor the health of your security settings

Security health page

 

Supported editions for this feature: Frontline Standard; Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

Security settings are related to the security and protection of user accounts:

Two-step verification and security key enforcement for users

Two-step verification helps protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone, or via an encrypted signature contained on a security key (recommended). 

For more details, see the table below.

About enablement, enrollment, and enforcement

If two-step verification is enabled for a domain, users within that domain are given the option to set up two-step verification. If an individual user decides to set up two-step verification, then they are enrolled in two-step verification.

If two-step verification is enforced for an organizational unit, users within that organizational unit are required to set up two-step verification.

Enforce the use of security keys

When you set up two-step verification, we recommend that you enforce the use of security keys for all organizational units. This reduces the risk of account breach, making it more difficult for an attacker to steal user credentials and gain access to confidential information and private data. 

For instructions on setting up security key enforcement, see the instructions below.

Settings
  • Two-step verification for users
  • Security key enforcement for users
Status
  • For Two-step verification for users, the status specifies the number of organizational units where two-step verification for users is not enforced.
  • For Security key enforcement for users, the status specifies the number of organizational units where security keys are not enforced for users.

Recommendation

Enforce two-step verification for all organizational units, and under Select allowed 2-step verification methods, choose Only security key. This reduces the risk of account breach, making it more difficult for an attacker to steal user credentials and gain access to confidential information and private data.

How to enforce two-step verification and security keys for all user accounts

To enable and enforce two-step verification, and enforce the use of security keys:

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAuthenticationand then2-step verification.

  3. Check the Allow users to turn on 2-step verification box.  
  4. Click Save. This enables 2-step verification for all users in the domain.
  5. In the 2-step verification section, click Go to advanced settings to enforce 2-step verification
  6. From the left-navigation menu, choose the domain or the relevant organizational unit.
  7. Under Enforcement, click Turn on enforcement now.
  8. Under Select allowed 2-step verification methods, choose Only security key. 
  9. Click SAVE.

 For more details and instructions, see Add 2-step verification and Enforcement.

Effect on your users

Users are prompted to authenticate with a second factor upon signing in to their Google service (for example, Google Workspace or Cloud Identity). The second factor is most commonly a phone call to a registered cell phone number where they type in an authorization code.

Two-step verification and security key enforcement for admins 

Two-step verification helps protect admins from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or stolen, an attacker can't sign in without access to the admin's additional verification. This verification can be in the form of codes which only the admin can obtain via their own mobile phone, or via an encrypted signature contained on a security key (recommended). 

For more details, see the table below.

About enablement, enrollment, and enforcement

If two-step verification is enabled for a domain, admins within that domain are given the option to set up two-step verification. If an individual admin decides to set up two-step verification, then they are enrolled in two-step verification.

If two-step verification is enforced for an organizational unit, admins within that organizational unit are required to set up two-step verification.

Enforce the use of security keys

When you set up two-step verification, we recommend that you enforce the use of security keys for all organizational units. This reduces the risk of account breach, making it more difficult for an attacker to steal user credentials and gain access to confidential information and private data. 

For instructions on setting up security key enforcement, see the instructions below. 

Settings
  • Two-step verification for admins
  • Security key enforcement for admins
Status
  • For Two-step verification for admins, the status specifies the number of organizational units where two-step verification for admins is not enforced.
  • For Security key enforcement for admins, the status specifies the number of organizational units where security keys are not enforced for admins.

Recommendation

Enforce two-step verification for all admin accounts, and under Select allowed 2-step verification methods, choose Only security key. This reduces the risk of account breach, elevation of privilege, and password cracking risks.

How to enforce two-step verification and security keys for all admin accounts

To enable and enforce two-step verification, and enforce the use of security keys:

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAuthenticationand then2-step verification.

  3. Check the Allow users to turn on 2-step verification box.  
  4. Click Save. This enables 2-step verification for all users in the domain.
  5. In the 2-step verification section, click Go to advanced settings to enforce 2-step verification
  6. From the left-navigation menu, choose the domain or the relevant organizational unit.
  7. Under Enforcement, click Turn on enforcement now.
  8. Under Select allowed 2-step verification methods, choose Only security key. 
  9. Click SAVE.

 For more details and instructions, see Add 2-step verification and Enforcement.

Effect on your users

Admins are prompted to authenticate with a second factor upon signing in to their Google service (for example, Google Workspace or Cloud Identity). The second factor is most commonly a phone call to a registered cell phone number where they type in an authorization code.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
5119376686632694113
true
Search Help Center
true
true
true
true
true
73010
false
false