Because some users have devices or security keys that were recently added to their account, they can't immediately verify their identity in response to a security challenge. For these users, a window is displayed with the title, Can't complete this action right now. These users can verify their identity after a device, phone number, or security key has been associated with their account for at least 7 days.
Here are a few examples of sensitive actions:
- Disabling 2-step verification
- Allowing an app to access Google data
- Changing the account recovery email address or phone number
- Downloading account data
- Changing the name on the account
Enable login challenges with SSO
If your organization uses third-party identity providers (IdPs) to authenticate single sign-on (SSO) users through SAML,you can present these SSO users with additional risk-based login challenges and apply 2-Step Verification (if configured), after the IdP authenticates a user during sign-in.
The default post-SSO verification setting depends on SSO user type:
- For users signing in using theSSO profile for your organization, thedefault setting is to bypass additional login challenges and 2SV.
- For users signing in using other SSO profiles, the default setting is to apply additional login challenges and 2SV.
To change the default settings for either user type, follow the steps in Set up post SSO verification below.
Use cases for additional login challenges with SSO
- You want to use security keys to protect access to sensitive Google-hosted resources for maximum assurance, and your current IdP doesn’t support security keys.
- You want to save the cost of using a third-party identity provider because in most cases users access Google resources.
- You don’t want Google authentication (Google as identity provider), but want to leverage all of Google’s risk-based login challenges.
- You want Google to protect sensitive actions inside the Google ecosystem.
What happens when you apply additional login challenges
For a smooth implementation, tell your users about the new policy and when you plan to apply it. Here’s what happens when you apply additional login challenges at sign-in:
- If you have existing 2SV policies, such as 2SV enforcement, those policies apply immediately.
- Users affected by the new policy and who are enrolled in 2SV get a 2SV login challenge at sign-in.
- Based on Google sign-in risk analysis, users might see risk-based login challenges at sign-in.
-
Sign in to your GoogleAdminconsole.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAuthenticationLogin challenges.
- On the left, select the organizational unit where you want to set the policy.
For all users, select the top-level organizational unit. Initially, organizational units inherit the settings of its parent.
- Click Post-SSO verification.
- Choosesettingsaccording to how you use SSO profiles in your organization. You can applya settingforusers who use the SSO profile for your organizationand for users who sign in using other SSO profiles.
- On the bottom right, click Save.
Google creates an entry in the Admin audit log to indicate any policy change.
Note: In rare cases, log event data might not be present for all events. We are working to resolve this issue.
FAQ
Extra security questions and login challenges |Phone verification|Disabling a login or security challenge|Administrators
Extra security questions and login challenges
When does a user see a security challenge?
A user is presented with the login challenge when a suspicious login is detected, such as the user not following the sign-in patterns that they've shown in the past.A user is presented with a verify-it's-you challenge if they have a risky session when attempting a sensitive action.
Important: Google decides which type of security challenge is appropriate to present to a user based on multiple security and usability factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.
As an administrator, can I choose which type of login challenge to show my users?
2-Step Verification (2SV) is a type of login challenge. As an administrator, you can enforce the 2SV login challenge for your users. By doing so, they won't receive another type of risk-based login challenge.
If you don't enforce 2SV for your users, or if a user doesn'thave it on, Google decides which type of login challenge is appropriate to present to thatuser. The type of login challenge that'sappropriate isbased on multiple security and usability factors. For example, the employee ID login challenge might not always be presented to a specific user, even if you turned it on.
Can users update their recovery information?
Yes. For details, seeSet up a recovery phone number or email address.
We use 2-Step Verification. Why do we need login challenges?
2-Step Verification (2SV) is a type of login challenge. When your users have it on, they won't get another login challenge. For the same reason, Admin Reports display each 2-Step Verification as a login challenge.
How do login challenges work when I have SSO enabled?
It depends on how you've configured SSO in your organization:
- If you’ve configured an SSO profile for your organization - By default, login challenges aren’t enabled. However, you can set up post SSO verification to allow additional risk-based authentication challenges and 2-Step Verification (2SV) if configured.
- If you’re using another SSO profile, any additional login challenges (including 2SV, if configured) are automatically applied.
Is this feature available in Education editions?
Yes, all Google Workspace editions include extra security questions and login challenges.
When does Google consider a sign-in attempt suspicious?
We determine whether a sign-in is suspicious when our risk-analysis system identifies an attempt that’s outside the normal pattern of user behavior. For example, a user might try to sign in from an unusual location or in a manner associated with abuse.
Phone verification
If my users don’t have a corporate phone, is there another way to verify their accounts?
Yes, there are different types of login challenges. Depending on the information that’s available for a user’s account, users are presented with a different type of login challenge, such as entering their employee ID or recovery email address. If a user doesn’t have access to their phone, they can use backup codes to sign in. For details, see Sign in using backup codes.
How can a user update the recovery phone number or email associated with their account?
The user can update the recovery information through the account settings.
Can a user opt to verify criteria other than their recovery phone number?
If the user doesn’t enter a recovery phone number, other types of login challenges apply, such as entering their recovery email address or using their employee ID.
Disabling a login challenge or verify-it's-you challenge
If the user can't verify their identity, can I disable the login or verify-it's-you challenge?
Yes, an administrator can turn off a login or verify-it's-you challengefor 10 minutes.
In some situations, an authorized user can’t verify their identity. For example, they might not have a phone signal and can’t get the verification code. Or, they can’t remember or find their employee ID. If this happens, as a super administrator you canturn off the login or verify-it's-you challenge for 10 minutes to allow them to sign in or complete the sensitive action. Exercise caution when turning off login or verify-it's-you challenges,as the account is less secure from account hijackers during the 10-minute window.
Can I turn the login or verify-it's-you challenges off for my organization?
No, you can’t turn off this feature for your entire organization. You can only turn it off temporarily on a per-user basis.
Can the user turn this off themselves from their account settings?
No, only an administrator can turn off the login or security challenges temporarily.
Administrator login challenges
How can an administrator who can’t verify their identity re-enter their account?
As an administrator, you can regain access to your account by following the prompts on the login page to resetyourpassword.
If you're a Google Workspace administrator who's having trouble signing in to your admin account, go toRecovering administrator access to your account for instructions.
What if a super administrator can't verify their identity?
If a super administrator user can't verify their identity, then another super administrator (if available) can temporarily turn off the login challenge for them, as described in the steps above.
Alternatively, the super administrator can bypass the loginchallenge by resetting their password.
Note: The automated password reset option isn'tavailable to all super administrators. For more information about admin account recovery, see Add recovery options to your administrator account.