How to enable and enforcing 2FA for G Suite

I’m a big fan of G Suite, using G Suite simplifies my need for using several services for my day to day business. I do not need to have an IT infrastructure, I just subscribe to one.

Today’s topic that I like to share, is how to enable 2-factor authentication (2FA) for G Suite. G Suite provides the option of turning on two-step verification for your user accounts.

2FA provides an extra layer of security to your user’s data by having them authenticate with a verification code in addition to their username and password when signing in to their account. I will provide you with the instructions to enabling two-step verification as well as enforcing its use for your G Suite service.

Enabling Two-Step Verification

These steps will guide you through enabling the option of using two-step verification for your G Suite account users. This allows your users to choose to use the feature if they wish. It does not make two-step verification mandatory for your users.

If you wish to make it mandatory for your users to use two-step authentication, please continue on to the enforcing two-step verification instructions once the two-step verification option is enabled.

  1. Log into your G Suite Admin Console (at admin.google.com)
  2. Click Security (if you do not see Security, click More Controls)
  1. Click Basic Settings
Admin_console-security-basic-settings.png

Scroll down to the Two-Step Verification setting and tick the checkbox to Allow users to turn on 2-step verification. This will enable the ability for the account user to utilize two-step authentication if they choose.

Click on the Save changes button that appears.

This makes 2-Step Verification available for your users but does not automatically enroll them. To enroll, users need to configure their verification settings individually. See Turn on 2-Step Verification.

Once all users have enrolled in 2-Step Verification, you may enforce its use following the instructions in Manage your users’ security settings.

Enforcing Two-Step Verification

These steps will guide you through enforcing two-step verification for your G Suite account users. This will make it mandatory for your users to use two-step verification when signing in.

  1. Once you’ve completed the steps above, you will now see a link at the bottom of the two-step verification settings that says Go to advanced settings to enforce 2-step verification. Click the link to continue.
Admin_console-basic-advance.png
  1. You will now find yourself in the advanced security settings panel. Here, you can select Turn on enforcement now or Turn on enforcement from date.
Admin_console-advanced_security.png
  1. When you select an option, you will receive a notification window that reminds you that enabling this setting will force all users to use two-step verification. Click on OK to continue.
Admin_console-security-advanced.png
  1. Finally, click the Save changes button at the bottom right corner of your browser window to finalize the selection of two-step verification.
Admin_console-save-security.png

Google Resources

Conclusion

If you use G Suite, I highly recommend that you enable this option to make your accounts more secure.

Like to hear your view about 2FA, feel free to comment below.


Posted

in

by

Comments

8 responses to “How to enable and enforcing 2FA for G Suite”

  1. Robert Hook Avatar
    Robert Hook

    Excellent write up, I’ve shared the link with colleagues to help spread awareness. Cheers.

  2. Susan E Bercaw Avatar
    Susan E Bercaw

    How do you deal with an employee leaving who has 2FA on his personal phone?
    How can I, as a superAdmin, take back this email address for archiving and deletion?

    1. newsman Avatar
      newsman

      The way we handle this is by deleting the account when someone leaves, as a SuperAdmin you can do that. There is an alternative you can suspend the user – for suspended users, the User License fees still apply.
      The user’s data will be kept, but the users won’t receive emails, calendar invitations, or files as long as they’re suspended.
      Suspended users can be restored as long as they’re not deleted.

      1. Susan Eileen Bercaw Avatar
        Susan Eileen Bercaw

        But we login as the user so we can do a Google Takeout. So how do I log into the user once they’re gone?

        1. newsman Avatar
          newsman

          If the user is gone you can not log in to that account except if the user gave the password to you. You need a policy on user management, including when someone leaves. You can transfer Google Docs, sheets by changing the ownership, you can wipe a mobile device if it was set up with Google mobile management by your organization. Here is a nice writeup that can help you –5 steps to securely transfer g-suite data when an employee leaves your company

          1. Susan Eileen Bercaw Avatar
            Susan Eileen Bercaw

            This is a terrible thing. So you cannot change the password using the admin portal and them move them to an OU that does not require 2FA?

          2. newsman Avatar
            newsman

            You can send a reset password to the users from the admin portal, but you can not change 2FA as this is personal to the user’s account.

  3. Susan Bercaw Avatar
    Susan Bercaw

    What do you do to turn off enforced 2FA when a user leaves the organization?
    Because you do not have the choice to turn it off for a user when it is enforced.

Leave a Reply to newsman Cancel reply

Your email address will not be published. Required fields are marked *