If this is enabled, it allows users to associate another email address or phone number to their account so that they can reset their own password if they forget it. Useful to turn on for your staff organisation. (Note that users will have to associate an email/phone BEFORE they forget their password!)
We would recommend allowing staff members to turn on two-step verification, and potentially enforcing it for users who deal with particularly sensitive data. There are a variety of methods you can use for 2 step verification including using phone prompts, text messages and security keys.
It's really important if you are using some synchronisation tool for your users (e.g LGfL USO sync) that you keep the 'Enable API access' box checked or the sync process will not work.
Here you can choose to disable users from granting access to third party web apps and Google Drive add-ons. For Gmail and Drive you can choose to disable only 'High Risk Access'. The most secure and GDPR compliant recommendation here would be to disable API access for all, and change the message displayed to users to include your email address and they can request for an app to be trusted. You can then add the App ID to the list of 'Trusted apps' here.
You can also choose to whitelist apps via these links. Note Drive Add-ons can be distributed through the G Suite Marketplace.