2-step verification adds an extra layer of security to your users' Google Apps accounts by requiring them to enter a verification code in addition to their username and password, when signing in to their account.

The Google Apps Service Level Agreement does not apply to any services used in connection with 2-step verification if the verification process relies on third-party voice or data providers to deliver the verification code.

Why should I enable 2-step verification for my domain?

2-step verification helps protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's verification codes, which only the user can obtain via their own mobile phone.

Requirements

• A mobile phone that can receive the verification code via text message or phone call. See how to view the list of supported countries.
Or
• An Android, BlackBerry, or iPhone. These devices use the Google Authenticator mobile app to generate the verification code.
• Note: 2-step verification can't be used for accounts using a SAML single sign-on service (SSO). See SAML SSO Service for Google Apps.
• 2-step verification is only available in US English in the next-generation version of the Google Apps administrator control panel. See Current vs. Next generation control panel for more information.

How it works

1. You enable 2-step verification for your domain in your Google Apps control panel. See Setup 2-step verification for your domain for how to enable 2-step verification for your account. We recommend that you notify your users of this new security process and include instructions on how to get started.
   
   Note: You can't force your users to use 2-step verification, they must opt-in themselves.
   
   
2. The user enrolls in 2-step verification, and selects the method for receiving their verification code on their mobile phone: the Google Authenticator app, text message, or phone call. How quickly they get their code via text message or phone call depends on their service provider and location. We recommend users with smartphones to use the Google Authenticator app which can generate codes without a network connection.
   
   See Set up 2-step verification for your Google Account.
   
   
   • If this link doesn't take you to the 2-step verification page, you need to follow these steps:
     
     
     1. Sign in to your Google Apps Gmail Account and click Settings (in the top right corner).
     2. Under the Accounts tab, click Google Account settings.
     3. Under Personal Settings, click Using 2-step verification
     4. Follow the steps in the 2-step verification guide to set up 2-step verification.
   
   Administrators can point users to Getting started with 2-step verification for step-by-step instructions.
   
   
3. The next time the user signs in to their Google Apps account on a new browser or device, they enter their username and password as usual. They're then prompted with a second page to enter a verification code. When your user checks Remember verification for this computer, they're only prompted to enter a verification code once every 30 days per browser or after deleting their browser's cookies. Your users should not check this if they're at a public or shared computer.
   
   
   
   
4. Depending on how they opted to receive their code, the user gets their time-based, one-time code from the Google Authenticator app on their smartphone or via text message or phone call. They then enter the code to successfully sign in.
   
   
   • If a user loses their phone, they can use backup codes to sign in. See Frequently Asked Questions - Backup codes.

Signing in to mobile devices with application-specific passwords

Once your users enroll in 2-step verification, they may need to use application-specific passwords in addition to their verification codes. For installed applications that don't have a 2-step verification field, your users will need to enter an application-specific password once per device or application in place of their regular password to access their Google Account.

Common devices and applications that require application-specific passwords are: Gmail and Google Calendar on Android-based phones, ActiveSync for Windows Mobile and iPhone, and IMAP clients such as Thunderbird. See Sign in to mobile or desktop apps for more details.

Remember that good security practices are critical to the integrity of your user's Google Account. Learn more at Keeping your account secure.