Manage a user's security settings (2024)

1. Click Password Reset Password.
2. Choose to automatically generate the passwordor enter a password.

   By default, password minimum length is 8 characters. You can change password requirements for your organization.

3. (Optional) To view the password, click Preview .
4. (Optional) To require the user to change the password, ensure thatAsk for a password change at the next sign-inis On.
5. Click Reset.
6. (Optional) To paste the password somewhere, such as in a Google Chat conversation with the user,click Click to copy password.
7. Choose to email the password to the user, or click Done.

A security key is a small device that lets you signin to a Google Account using 2-Step Verification (2SV). Of all the 2SV methods supported by Google, a security key is the most secure. Itplugs into your computer's USB port or connects to your mobile device using NFC or Bluetooth.Learn more

If a security keyis in use for this user, click the Security keys section to learn when the key was added and last used.

Add a key

You can add a security key for a user, or they can add their own keys.

• To let users add their own key:
  1. Make sure that the skip password setting is off for users. For the steps, go to Turn skip passwords on or off for users.
  2. Tell users to follow the instructions in Use a security key for 2-Step Verification.
• To add a key for the user:
  1. Click in Security keysAdd Security Key.
  2. Follow the on-screen instructions.

     Note: If you have a security key plugged in to your computer, remove your key before registering a new key for a user.

  3. Click Done.

Remove a key

Remove a security key only when the key is lost. If a key is temporarily unavailable, you can generate backup security codes as a temporary workaround. GotoGet backup verification codes for a user.

1. Click in Security keys to display the key information table.
2. Scroll the table all the way to the right.
3. Hover over the table line for the key you want to remove and clickDelete at right.
4. Click DeleteRemove.
5. Click Done.

   Admin log events adds an entry each time you revoke a security key.

Note: You can require users to use security keys with 2-Step Verification.

As an admin, you can check a user’s Advanced Protection enrollment status and if necessary, you can unenroll them at the user level.

• The On status means that the user is currently enrolled in Advanced Protection.
• The Off status means that the user is not enrolled in Advanced Protection.

If you turn off Advanced Protection enrollment here, only the user can re-enroll again provided that the Enable user enrollment setting is enabled at SecurityAuthenticationAdvanced Protection Program. For details, go to Enable users to enroll.

Only the user can turn on2-Step Verification(2SV).As admin, you can check a user’s current 2-Step Verification setting and if necessary get a backup code for a locked-out user.

The 2-Step Verification section shows whether 2SV is turned on for the user, and whether 2SV is currently enforced across your organization.

• You have the option of turning off 2SV for a locked-out user, but this isn’t recommended. Instead, get a backup code for the user to allow them to sign in to their account.

  Note:You can't turn off 2SV for a user if their account is suspended.

• If 2SV is enforced across your organization, the option to turn off 2SV for an individual user is disabled.

Users who temporarily can’t access their second authentication method may get locked out. For example, a user may have left their security key at homeor can’t receive an access code by phone. For these users, you can generate backup verification codes to allow them to sign in.

1. To view the user's backup verification codes, click2-Step VerificationGet backup verification codes.
   Note: Creating new verification codes invalidates any existing code. For example, if you created a user's verification code using the Admin Console and then generate a new verification code using the verification codes, the previous set of codes is invalidated and vice versa.
2. Copy one of the existing backup codes or generate new codes. Note: Select Generate new codes If you think the existing backup codes were stolen or have been used up. The old set of backup codes automatically become inactive.
3. Tell your user to follow the instructions inSign in using backup codes.

If the user is required to use 2-Step Verification with a security key:

• The user can't generate their own backup verification codes. An administratorneeds to generate these codes and provide them to the user when needed.
• Once you generate codes for the user, the user's grace period for using these codes begins. You'll be informed of the grace period that's left before they need to use their security key to sign in.

For details on setting up 2-Step Verification requirements for users, go to Deploy 2-Step Verification.

If you suspect that theuser's password has been stolen, you can force the user to reset their password when they next sign in.

1. Click Require password changeTurn on.
2. Click Done.

After the user resets their password, this setting is automatically set to Off.

Note: If your organization uses SSO through a third-party IdP, the force a password change setting isn't availableunless you use a network mask to allow some users to sign in directly to Workplace. To check whether a network mask is set up, go to SecuritySSO with third-party IDPsSSO profile for your organization.

If Google suspects an unauthorized attempt to sign in to a user's account, a login challenge appears before access to the account is granted. The user must either:

• Enter a verification code that Google sends to their recovery phone number or recovery email address (an email address outside your organization).
• Answer a challenge that only the account owner can solve.

To add or edit a user’s recovery information:

1. Click Recovery information.
2. Add or edit either of the following:
   • Email address (outside of your organization)
   • Recovery phone number

     Note: The recovery phonenumber should be unique for each user. If the same recovery phone number is used by multiple users, that number is automatically blocked for security reasons.

3. Click Save.

If Google suspects an unauthorized attempt to sign in to a user's account, a login challengeappears before access to the account is granted. The user must enter a verification code that Google sendsto their phone. Or,the user can choose to answeranother challenge that only the account owner can solve.

Also, if a Google Workspace user attempts a sensitive action, that user is sometimes presented with a verify-it's-you challenge. If the user can't enter the requested information, Google will disallow the sensitive action.

If the authorized user can't verify their identity, you can turn off the login or verify-it's-you challenge for 10 minutes to allow the user to sign in.

If a user loses theircomputer or mobile device, you can help prevent unauthorized access to their Google Account by resettingtheir sign-in cookies. This signs the user out of their Google Account (including any Google Workspace applications) across all devices and browsers.

Note: If you suspended a user, you don't need to do this. Suspending a user resets their sign-in cookies.

If youset up single sign-on (SSO) using a third-party identity provider (IdP), the user's SSO session may still allow access to their Google Account after resetting their sign-in cookies. In this case, terminate theirSSO session before resetting their Google sign-in cookies. For help with SSO management, contact your IdP support team.

To reset theuser's cookies:

1. Click Sign-in cookiesReset.
2. Click Done.

It can take up to an hour to sign the user out of current Gmail sessions. The time for other applications can vary.

If your users use 2-Step Verification and need to sign in to apps or devices that don’t accept verification codes, they need application-specific passwords to access those apps. Learnmore about signing in withapp passwords.

Any apps for which the user has created app passwords are listed in the Application-specific password section. Note: If no app passwords are in use, this section is inactive.

Click an app name for more information on when the password for that app was created and when it was last used.

You should revoke an app password if a user loses a device or stops using an app that was authorized with that password.

1. Click in the Application-specific password section to view apps using app passwords.
2. Mouse over an app name and click Revokeat right.
3. Click Revoke.
4. Click Done.

Your users can also revoke their own app passwords.

The Connected applications section lists all the third-party applications (for example, Google Workspace Marketplace apps) that have access to this user’s Google Account data. Learn how authorized access works.

Note: If no third-party applications have been installed, this section is inactive.

Click an application name for more information:

• The Access level column shows the user data that the application can access. A user can grant full or partial access to Google data.
• The Authorization date column shows when the application was granted data access.

To temporarily remove an app’s access to data:

1. Mouse over an app name and click Removeat right.
2. Click Remove.
3. Click Done.

Note: Removing data access for an app doesn't prevent a user from using the app in the future (if the user has the necessary permissions). Once a user signs into the app again, data access is restored. To permanently restrict user access to applications, you can block access to specific application scopesand set up an allowlist of approved apps for your organization.