Use Google 2-Step Verification and risk-based login challenges with 3rd-party identity providers
What’s changing
We’re making two Google login security measures available to organizations that use 3rd-party identity providers. Admins at these organizations can choose to turn on two features that significantly improve account security against various attacks on user accounts. These features are new for customers using 3-party identity providers:
- 2-Step Verification, an extra verification step that automatically requests verification when certain conditions are met (for example, when someone tries to log in on a new device or browser). Learn more about 2-Step Verification.
- Risk-based login challenges, which analyzes user access patterns and assesses the risk of a malicious attack, and presents additional verification challenges when the behavior looks suspicious. Learn more about risk-based login challenges.
Who’s impacted
Admins and end users
Why you’d use it
This will allow you to better protect your users’ accounts from unauthorized access. You can use this feature to:
- Increase overall account security, by leveraging Google’s risk-based challenges for users authenticating on your 3rd-party identity provider.
- Enforce Google 2-Step Verification for certain users only. For example, you can enforce Google 2-Step Verification in combination with your 3rd-party identity provider for users with access to more sensitive information stored within Google.
- Use 2-Step Verification without additional costs. You can enforce these policies for users predominantly accessing Google resources at no additional cost.
How to get started
- Admins: You can choose whether to enforce additional 2-Step Verification for users at Admin console > Security > Login challenges > Post-SSO verification. Use our Help Center to learn more about 2-Step Verification with 3rd-party identity providers.
- End users: If turned on, a user will simply have to complete the 2-Step Verification step using a familiar Google sign-in interface after they sign in to the 3rd-party identity provider. Learn more about Google 2-Step Verification.
Admin controls available for verification enforcement when using a 3rd-party identity provider
Helpful links
- Help Center: Set up single sign-on using third-party Identity providers
- Help Center: Protect your business with 2-Step Verification
- Help Center: Login challenges
- 2-Step Verification: How it works
Availability
Rollout details
- Rapid Release domains: Gradual rollout (up to 15 days for feature visibility) starting on Sep 26, 2019
- Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on Sep 26, 2019
G Suite editions
Available to all G Suite and Cloud Identity editions.
On/off by default?
This feature will be OFF by default and can be enabled at the OU level.
Stay up to date with G Suite launches