Supported editions for this feature: Frontline Standard; Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
This feature is available with Cloud Identity Premium edition. Compare editions
Security settings are related to the security and protection of user accounts:
- Two-step verification and security key enforcement for users
- Two-step verification and security key enforcement for admins
Two-step verification and security key enforcement for users
Two-step verification helps protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone, or via an encrypted signature contained on a security key (recommended).
For more details, see the table below.
About enablement, enrollment, and enforcement
If two-step verification is enabled for a domain, users within that domain are given the option to set up two-step verification. If an individual user decides to set up two-step verification, then they are enrolled in two-step verification.
If two-step verification is enforced for an organizational unit, users within that organizational unit are required to set up two-step verification.
Enforce the use of security keys
When you set up two-step verification, we recommend that you enforce the use of security keys for all organizational units. This reduces the risk of account breach, making it more difficult for an attacker to steal user credentials and gain access to confidential information and private data.
For instructions on setting up security key enforcement, see the instructions below.
Settings |
|
Status |
|
Recommendation |
Enforce two-step verification for all organizational units, and under Select allowed 2-step verification methods, choose Only security key. This reduces the risk of account breach, making it more difficult for an attacker to steal user credentials and gain access to confidential information and private data. |
How to enforce two-step verification and security keys for all user accounts |
To enable and enforce two-step verification, and enforce the use of security keys: You must be signed in as a super administrator for this task.
For more details and instructions, see Add 2-step verification and Enforcement. |
Effect on your users |
Users are prompted to authenticate with a second factor upon signing in to their Google service (for example, Google Workspace or Cloud Identity). The second factor is most commonly a phone call to a registered cell phone number where they type in an authorization code. |
Two-step verification and security key enforcement for admins
Two-step verification helps protect admins from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or stolen, an attacker can't sign in without access to the admin's additional verification. This verification can be in the form of codes which only the admin can obtain via their own mobile phone, or via an encrypted signature contained on a security key (recommended).
For more details, see the table below.
About enablement, enrollment, and enforcement
If two-step verification is enabled for a domain, admins within that domain are given the option to set up two-step verification. If an individual admin decides to set up two-step verification, then they are enrolled in two-step verification.
If two-step verification is enforced for an organizational unit, admins within that organizational unit are required to set up two-step verification.
Enforce the use of security keys
When you set up two-step verification, we recommend that you enforce the use of security keys for all organizational units. This reduces the risk of account breach, making it more difficult for an attacker to steal user credentials and gain access to confidential information and private data.
For instructions on setting up security key enforcement, see the instructions below.
Settings |
|
Status |
|
Recommendation |
Enforce two-step verification for all admin accounts, and under Select allowed 2-step verification methods, choose Only security key. This reduces the risk of account breach, elevation of privilege, and password cracking risks. |
How to enforce two-step verification and security keys for all admin accounts |
To enable and enforce two-step verification, and enforce the use of security keys: You must be signed in as a super administrator for this task.
For more details and instructions, see Add 2-step verification and Enforcement. |
Effect on your users |
Admins are prompted to authenticate with a second factor upon signing in to their Google service (for example, Google Workspace or Cloud Identity). The second factor is most commonly a phone call to a registered cell phone number where they type in an authorization code. |