What’s changing 

We’re giving you another option to determine how security codes can be used in your organization. A security code is a one-time use code, generated using a security key, that can be used to log in on legacy platforms where security keys aren’t supported directly.

With this launch we’re adding an option to restrict the use of codes to the same device or network that they were generated on.

Who’s impacted 

Admins and end users

Why you’d use it 

Since we introduced security codes in June 2019, we’ve observed that they’re most commonly used with applications that use legacy authentication on devices that are capable of supporting Chrome or other browsers that allow security keys. The new restricted security code option allows that use case to be satisfied while reducing some potential vulnerabilities. Unrestricted codes will still be available for users who need them (such as those using remote servers or virtual machines).

How to get started 

Admins: Customers can turn this feature on at Admin console > Security > Advanced security settings. Use our Help Center to find out more about security codes. 
End users: No action needed.

Additional details 

Three security code settings available to G Suite admins 
With this launch, there will be three options for security codes:

• Don't allow users to generate security codes. Users can’t generate security codes. This was previously available, and was the default setting. 
• Allow security codes without remote access. Users can generate security codes and use them on the same device or local network (NAT or LAN). This is a new option, and replaces the don’t allow security codes as the default setting for new G Suite customers. 
• Allow security codes with remote access. Users can generate security codes and use them on the same device or local network (NAT or LAN), as well as other devices or networks, such as when accessing a remote server or a virtual machine. The earlier version of security codes was effectively the same as this. 

No impact to existing users 
This launch won’t change the user experience unless an admin changes a setting in the Admin console. Specifically,

• Users who are currently assigned “Don’t allow security codes” will now be assigned “Don't allow users to generate security codes” and will still not be able to use security codes. 
• Users who are currently assigned “Allow use of security codes,” will now be assigned “Allow security codes with remote access” and will be able to use security codes in the same way as before. 

Use our Help Center to learn more about security codes and 2-Step Verification.

Security codes and the Advanced Protection Program for the enterprise 
You can control security code use separately for your users in the Advanced Protection Program for the enterprise. Security code settings for those users are determined by controls at Admin console > Security > Advanced Protection Program. Settings for security code use here will override regular settings for those users. Read more about the Advanced Protection Program for the enterprise.

Helpful links 

Help Center: Allow security codes when security keys aren't supported 
G Suite Updates blog: Use security codes to log in where security keys won’t work directly

Availability 

Rollout details 

• Rapid Release domains: Gradual rollout (up to 15 days for feature visibility starting on December 4, 2019. 
• Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility starting on December 4, 2019. 

G Suite editions 

• Available to all G Suite editions. 

On/off by default? 

• This feature will be OFF by default and can be customized on the domain, OU, or group level.

Stay up to date with G Suite launches

• Get G Suite product update alerts by email
• See the G Suite launch release calendar
• Subscribe to the RSS feed of these updates

Source: G Suite Updates Blog