Deploy 2-Step Verification

You and your users play important roles in setting up 2-Step Verification (2SV). Your users can choose their 2SV method, or you can enforce a method for certain users or groups in your organization. For example, you can require a small team in Sales to use security keys.

Important: Google is enforcing 2SV for administrator accounts. For details, go to About 2SV enforcement for admins.

Step 1: Notify users of 2-Step Verification deployment

Before deploying 2SV, communicate your company's plans to your users, including the following:

Step 2: Allow users to turn on 2-Step Verification

User accounts created before December 2016 have 2SV on by default.

Let users turn on 2SV and use any verification method.

Watch the video

To allow users to turn on 2SV

Before you begin: If needed, learn how to apply the setting to a department or group.

You must be signed in as a super administrator for this task.

  1. In the Google Admin console, go to Menu Security Authentication 2-step verification.

    You must be signed in as a super administrator for this task.

  2. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  3. Check the Allow users to turn on 2-Step Verification box.
  4. Select Enforcement Off.
  5. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

Step 3: Tell your users to enroll in 2-Step Verification

  1. Tell your users to enroll in 2SV by following the instructions in Turn on 2-Step Verification.
  2. Provide instructions for enrolling in 2SV methods:

Step 4: Track users' enrollment

Use reports to measure and track your users' enrollment in 2SV. Check users' enrollment status, enforcement status, and number of security keys.

Watch the video

Track 2SV enrollment

  1. In the Google Admin console, go to Menu Reporting User Reports Security.

    Requires having the Reports administrator privilege.

  2. (Optional) To add a new column of information, click Settings Add new column. Select the column to add to the table and click Save.

For more information, go to Manage a user's security settings.

  1. From the Admin console Home page, go to Reports Apps Reports Accounts.

Identify organizational units and groups that aren't using 2-Step Verification

  1. In the Google Admin console, go to Menu Security Security center Security health.

    Requires having the Security center administrator privilege, plus read access to users and organizational units.

  2. Search Security Health for Two-step verification for admins or Two-step verification for users to review 2SV information.

Step 5: Enforce 2-Step Verification (Optional)

Before you begin: Make sure users are enrolled in 2SV.

Important: When 2SV is enforced, users who have not completed the 2SV enrollment process, but have added 2-Factor Authentication (2FA) information to their account, such as a security key or phone number, will be able to sign in using this information. If you see a sign in from an unenrolled user who belongs to an organizational unit where 2SV has been enforced, that is a 2SV sign-in.

Before you begin: If needed, learn how to apply the setting to a department or group.

You must be signed in as a super administrator for this task.

  1. In the Google Admin console, go to Menu Security Authentication 2-step verification.

    You must be signed in as a super administrator for this task.

  2. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  3. Click Allow users to turn on 2-Step Verification.
  4. For Enforcement, choose an option:

  5. (Optional) To give new employees time to enroll before enforcement applies to their accounts, for New user enrollment period, select a time frame from 1 day to 6 months.

    During this period, users can sign in with just their passwords.

  6. (Optional) To let users avoid repeated 2SV checks on trusted devices, under Frequency, check the Allow user to trust the device box.

    The first time a user signs in from a new device, they can check a box to trust their device. Then the user isn't prompted for 2SV on the device unless the user clears their cookies or revokes the device or you reset the user's sign-in cookie.

    Avoiding 2SV on trusted devices isn't recommended unless your users frequently move between devices.

  7. For Methods, select the enforcement method:

    • Only security key—Users must set up a security key.

      Before selecting this enforcement method, find users who already set up security keys (report data could be delayed up to 48 hours). To view real-time 2SV status for each user, go to Manage a user's security settings.

      Important: Since the addition of passkeys, the Only security key option now supports both security keys and passkeys as a 2SV method. Passkeys and security keys both have the same level of phishing protection. For details, go to Sign in with a passkey instead of a password.

  8. If you select Only security key, set the 2-Step Verification policy suspension grace period.

    This period lets users sign in with a backup verification code that you generate for the user, which is useful when a user loses their security key. Select the length of this grace period, which starts when you generate the verification code. For information on backup codes, go to Get backup verification codes for a user.

    Important: If 2SV is enforced in Only security key mode, users cannot generate their own backup verification codes. An admin must provide these codes to the user.

  9. For Security codes, choose whether users can sign in with a security code.

  10. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

If users don't comply by the enforcement date

You can give users extra time to enroll by adding them to a group where 2SV isn't enforced. While this workaround allows users to sign in, it's not recommended as a standard practice. Learn how to avoid account lockouts when 2-Step Verification is enforced.

View Apps reports on your organization