Access & Authentication

2-step verification and security keys

Customers can strengthen account security by using 2-step verification and security keys. These can help mitigate risks such as the misconfiguration of employee access controls or attackers taking advantage of compromised accounts. With the Advanced Protection Program for enterprise, we can enforce a curated set of strong account security policies for enrolled users. These include requiring security keys, blocking access to untrusted apps, and enhanced scanning for email threats.

Use 2-Step Verification to protect accounts from unauthorized access. 2-Step Verification puts an extra barrier between your business and cybercriminals who try to steal usernames and passwords to access business data.

Login as administrator to admin console
From the Admin console Home page, go to Security>2-Step Verification.
Click Allow users to turn on 2-Step Verification.
Under Enforcement, choose when to start enforcing 2-Step Verification.
1. On—Starts immediately.
2. Turn on enforcement from date—Select the start date. Users see reminders to enroll in 2-Step Verification when they sign in.
Set a New user enrollment period.
In the Frequency setting, click Allow user to trust the device (optional).

Use your iPhone as a security key for your Google Account

Security keys provide the strongest form of 2-Step Verification (also known as two-factor authentication or 2FA) to help protect your account against phishing

The iPhone security key is enabled through the Google Smart Lock app.
Installation of the Google Smart Lock app is only available on devices running iOS 10.0 and up.
If 2-Step Verification or Security Key Enforcement is turned on for an organization, iOS devices will be available as an option for security keys by default.

Single sign-on (SAML 2.0)

Google Workspace offers customers a single sign-on (SSO) service that lets users access multiple services using the same sign-in page and authentication credentials. It is based on SAML 2.0, an XML standard that allows secure web domains to exchange user authentication and authorization data. For additional security, SSO accepts public keys and certificates generated with either the RSA or DSA algorithm. Customer organizations can use the SSO service to integrate single sign-on for Google Workspace into their LDAP or other SSO system.

OAuth 2.0 and OpenID Connect

Google Workspace supports OAuth 2.0 and OpenID Connect, an open protocol for authentication and authorization that allows customers to configure one single sign-on service (SSO) for multiple cloud solutions. Users can log on to third-party applications through Google Workspace—and vice versa—without re-entering their credentials or sharing sensitive password information.

Information Rights Management (IRM)

Most organizations also have internal policies which dictate the handling of sensitive data. To help Google Workspace administrators maintain control over sensitive data, we offer information rights management in Google Drive. Administrators and users can use the access permissions in Google Drive to protect sensitive content by preventing the re-sharing, downloading, printing or copying of the file or changing of the permissions.

Restricted email delivery

By default, users with Gmail accounts at your domain can send mail to and receive mail from any email address. In some cases, administrators may want to restrict the email addresses users can exchange mail with. For example, a school might want to allow its students to exchange mail with the faculty and other students, but not with people outside the school.

Using the restrict delivery setting allows administrators to specify the addresses and domains where users can send or receive email messages. When administrators add a restrict delivery setting, users can only communicate with authorized parties. Users who attempt to send mail to a domain not listed will see a message that specifies the policy prohibiting mail to that address, and confirms that the mail is unsent. Likewise, users receive only authenticated messages from listed domains. Messages sent from unlisted domains—or messages from listed domains that can’t be verified using DKIM or SPF records—are returned to the sender with a message about the policy.

App access based on user context

To facilitate easier user access, while at the same time protecting the security of data, Google has developed context-aware access.⁵ This provides granular controls for Google Workspace apps, based on a user’s identity and context of the request (such as device security status or IP address). Based on the BeyondCorp security model developed by Google, users can access web applications and infrastructure resources from virtually any device, anywhere, without utilising remote-access VPN gateways while administrators can establish controls over the device. You can also still set access policies, such as 2-Step Verification, for all members of an organizational unit or group.

Context Aware Access

Page updated

Report abuse