SECURITY GUIDE

How to Enable and Configure 2-Step Verification in Google Workspace

Complete step-by-step guide to implementing 2-Step Verification across your Google Workspace organization. Enhance security, protect against unauthorized access, and ensure compliance with security best practices.

Perfect for: Perfect for: IT administrators, security-conscious organizations, companies requiring enhanced authentication, and businesses meeting compliance requirements for multi-factor authentication.

Prerequisites Before You Start

Ensure you have the necessary access and understand the requirements before implementing 2-Step Verification.

Super Admin Access

Super admin privileges in Google Workspace Admin Console

Mobile Devices

Users need smartphones or hardware tokens for verification

User Communication

Plan to notify and train users before enforcement

Backup Methods

Consider backup codes and alternative verification methods

Important Considerations

  • 2-Step Verification can be enforced organization-wide or by organizational unit
  • Users may be temporarily locked out if they lose access to verification methods
  • Some third-party applications may require app passwords after 2SV is enabled
  • Consider a gradual rollout starting with admin accounts and IT staff
  • Backup verification methods are crucial for account recovery

Step-by-Step Guide to Adding Secondary Domain

Follow these detailed steps to successfully add and configure your secondary domain in Google Workspace.

1

Access Google Admin Console

Sign in to your Google Admin Console with super admin privileges

Detailed Steps:

  • Go to admin.google.com
  • Sign in with your super admin account
  • Ensure you have full administrative privileges
2

Navigate to Security Settings

Find the Security section in your admin console

Detailed Steps:

  • Click on 'Security' in the left sidebar
  • Select 'Authentication' from the security menu
  • Click on '2-Step Verification' option
3

Configure Organization Settings

Choose which organizational units will have 2-Step Verification enabled

Detailed Steps:

  • Select the organizational unit (start with a test group)
  • Choose 'Allow users to turn on 2-Step Verification' initially
  • Consider enforcement timeline and user preparation needs
4

Set Enforcement Options

Configure how and when 2-Step Verification will be required

Detailed Steps:

  • Choose between 'Allow', 'Enforce', or 'Not allowed'
  • Set grace period for user enrollment (recommended: 1-4 weeks)
  • Configure frequency of verification prompts
5

Configure Verification Methods

Enable and prioritize different verification methods

Detailed Steps:

  • Enable Google Authenticator app (recommended)
  • Allow SMS and voice calls for backup
  • Consider hardware security keys for high-security users
  • Enable backup codes generation
6

User Communication & Training

Notify users and provide training before enforcing 2-Step Verification

Detailed Steps:

  • Send advance notice to all affected users
  • Provide setup instructions and training materials
  • Create helpdesk procedures for 2SV issues
  • Test with pilot group before organization-wide rollout

2-Step Verification Methods Configuration

Configure these verification methods based on your organization's security requirements and user capabilities.

Google Authenticator:
Time-based one-time passwords (TOTP)
Most secure and reliable option, works offline
SMS Text Messages:
Verification codes sent via SMS
Convenient but less secure, good for backup method
Voice Calls:
Verification codes delivered via phone call
Alternative for users without SMS capability
Backup Codes:
Pre-generated single-use codes
Essential for account recovery situations
Hardware Security Keys:
Physical FIDO U2F/WebAuthn devices
Highest security for admin and sensitive accounts
Important:
  • Google Authenticator is the most secure and reliable primary method
  • Always enable backup codes for account recovery scenarios
  • Hardware keys provide the highest level of security but require physical devices
  • SMS should be used as backup only due to security vulnerabilities

Common Issues & Solutions

Troubleshoot common problems when adding secondary domains to Google Workspace.

Users Can't Access Authenticator App

Solution:

Provide backup codes, enable SMS backup, or temporarily disable 2SV for account recovery

Prevention:

Ensure users save backup codes and have multiple verification methods set up

Time Sync Issues with Authenticator

Solution:

Check device time settings and sync with network time servers

Prevention:

Educate users about keeping device time accurate and synced

App Passwords Required for Third-Party Apps

Solution:

Generate app-specific passwords for applications that don't support 2SV

Prevention:

Identify and prepare app passwords before enforcing 2SV

User Resistance and Adoption Issues

Solution:

Provide comprehensive training, clear benefits explanation, and support

Prevention:

Gradual rollout with proper communication and training program

Account Lockouts During Rollout

Solution:

Have admin override procedures and temporary bypass options ready

Prevention:

Implement grace periods and ensure multiple verification methods

CERTIFIED GOOGLE PARTNER

Need Help Adding Your Secondary Domain?

While this guide covers the technical steps, domain setup can be tricky with DNS propagation, verification issues, and configuration complexities. Our Google Workspace experts can handle the entire process for you.

Quick Setup

Complete secondary domain setup in 24-48 hours

Zero Risk

No downtime or email disruption during setup

Free Support

Ongoing support included at no extra cost

Frequently Asked Questions

Common questions about adding secondary domains to Google Workspace.

What's the difference between 2-Step Verification and 2-Factor Authentication?

These terms are often used interchangeably. Google's 2-Step Verification is a form of 2-Factor Authentication (2FA) that adds an extra layer of security by requiring something you know (password) and something you have (phone or security key).

Can users bypass 2-Step Verification for trusted devices?

Yes, users can mark devices as trusted to reduce verification frequency. However, this setting can be controlled by administrators, and high-security environments may want to disable this feature.

What happens if a user loses their phone with the authenticator app?

Users should use backup codes for immediate access, then set up 2SV on a new device. If they don't have backup codes, administrators can temporarily disable 2SV for account recovery, but this should be done carefully with proper verification.

How often do users need to enter verification codes?

This depends on your settings. Users typically need to verify when signing in from new devices or locations. Trusted devices may require verification less frequently, and you can configure the frequency in admin settings.

Can 2-Step Verification be enforced for some users but not others?

Yes, you can configure 2SV settings by organizational unit. This allows you to enforce it for specific departments, roles, or user groups while keeping it optional for others.

What's the best verification method for organizations?

Google Authenticator app is generally the best primary method as it's secure and works offline. Hardware security keys provide the highest security for admin accounts. Always enable backup codes and consider SMS as a backup method.

How do I handle 2-Step Verification for shared accounts or service accounts?

Shared accounts should generally be avoided for security reasons. For necessary service accounts, use app passwords or service account keys instead of interactive 2SV. Consider using dedicated service accounts with appropriate access controls.

Can external users in my organization use 2-Step Verification?

External users can use 2SV if they have Google accounts, but their 2SV settings are managed by their own domain. For external collaborators, consider using Google Cloud Identity or requiring them to enable 2SV on their personal Google accounts.