What’s changingWe’re adding an option for admins to disable telephony options as 2-Step Verification methods for G Suite accounts in their domain. This option will prevent their users from using SMS and voice codes for 2-factor authentication.
Who’s impactedAdmins only
Why you’d use itThere are many forms of 2-Step Verification—from text (SMS) message codes, to the Google Authenticator app, to hardware second factors like security keys. And while any second factor will greatly improve the security of your account, we’ve long advocated the use of security keys for those who want the strongest account protection.
As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations. The present release does just that - admins get a policy that can enforce the use of multi-factor authentication without permitting SMS and voice verification codes.
This new policy gives admins more control over the security methods used in their domain, and increases the security of user accounts and associated data.
How to get started
- Admins: Apply the new policy by changing the setting at Admin console > Security > Advanced security settings > Allowed two step verification methods.
- End users: No action needed unless admin changes configuration.
2-factor authentication options in the G Suite Admin console
How users can configure 2-Step Verification once the policy is enforced
Users with the new policy applied will not be able to add SMS or voice based codes as an option - either when enrolling in 2-Step Verification for the first time or later at myaccount.google.com. A user enrolling in 2-Step Verification for the first time will see the screen below. This first provides an option to set up Google Prompt, as well as ‘Choose another option’ which will let them add a Security Key instead.
Avoid user sign-in issues
Users affected by the new policy who have SMS/Voice as the only 2SV method on their account will not be able to sign in. To avoid this lock-out situation, see our Help Center to get tips for how to ensure a smooth transition to an enforcement policy.
- Rapid Release domains: Gradual rollout (up to 15 days for feature visibility) starting on March 14, 2019.
- Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on March 14, 2019
Available to all G Suite editions
On/off by default?
The new policy is not enabled by default. Admin needs to explicitly choose to apply this policy on a OU / Group basis, like the other existing 2SV enforcement policies.
Stay up to date with G Suite launches