2-Step Verification in Google Workspace
2-Step Verification (2SV) adds a second layer of security beyond passwords. Even if a password is stolen, attackers cannot access accounts without the second factor.
### Enabling 2SV for Your Organisation (Admin)
1. Go to **admin.google.com**
2. Security → Authentication → 2-step verification
3. Select **Allow users to turn on 2-step verification**
4. To enforce it: select **Enforcement → On** (choose date)
5. You can enforce for specific Organisational Units (OUs)
### Enforcement Options
- **Off:** Users can optionally enable 2SV
- **On:** Users must set up 2SV at next sign-in
- **New user enrolment period:** Grace period before enforcement (1 day to 6 weeks)
### Verification Methods (User Choice)
| Method | Security Level |
|--------|---------------|
| Google prompt (phone notification) | High |
| Authenticator app (TOTP) | High |
| Hardware security key (Titan key) | Highest |
| SMS / Voice call | Medium |
| Backup codes | For emergency access |
### Users Setting Up 2SV
1. myaccount.google.com → Security → 2-Step Verification → Get started
2. Choose method: Google prompt, Authenticator app, or Security key
3. Verify and save
### Recommended: Google Authenticator App
1. Install Google Authenticator from Play Store / App Store
2. In Google Account → 2SV → Authenticator app → Set up
3. Scan QR code → enter code to verify
### If a User Loses Their Phone
Admin: admin.google.com → Users → select user → Security → Turn off 2-step verification
User re-enrolls on next sign-in.
Alternatively, user can use backup codes (generated when 2SV was set up).
### Security Keys (Best for High-Security Roles)
Hardware keys (e.g. Google Titan, YubiKey) cannot be phished.
Admin can require security keys for specific users:
Security → Authentication → 2-step verification → Allow security key only