Before you start
Get business buy-in
Big changes that people notice tend to benefit from an executive sponsor to lend weight behind the change - you'll know better than us whether that makes sense for your organisation. You can read for some pointers.
Prepare your support team
When adopting MFA, some users may struggle with the process of enrolling for MFA, or need help if they lose their MFA token or device after setup. Users will have a much better experience of MFA, and work disruption kept to a minimum, if the IT support team (or person as the case may be) is prepared to support both enrolment and recovery, and can get them back on their feet quickly.
To make sure everything goes smoothly when something goes wrong, we recommend you make sure anyone responding to support requests tests or practices these processes using a test account.
Decide whether to move directly to enforcing
We typically recommend encouraging users to enable MFA before enforcing it. This helps teams gradually adopt MFA, and gives support teams more time to get used to supporting users.
However, Google Workspace allows you to configure very flexible enforcement timelines and "grace periods" for new users. What this means in practice is that for smaller teams - around 25 or less accounts - we recommend that you skip straight to enforcement. If you are a bigger team that is tech savvy and unlikely to resist MFA you might do this as well.
Using registered devices or security keys?
Google Workspace allows you to disable 2SV, enable 2SV (allowed to use - the default), and to enforce 2SV (must use) for all users, or a group of users.
When enforcing 2SV, the following options are available for MFA methods:
Any except verification codes via text, phone call
Anything (the default)
Unless you’re using security devices everywhere, we would normally recommend "Any except verification codes via text, phone call" - mainly because text and call based methods are less reliable (especially when travelling or where phone signal is spotty) and can lead to bad user experience.
Unfortunately, the Google Workspace 2SV user setup wizard only allows users to register a phone number, a company phone, or a security key - authenticator apps are not an option.
If you are using company phones or security keys then there’s no issue, you can set the policy to “Any exception verification codes via text, phone call” or “Security devices only” and users can follow the setup wizard.
If you aren’t, users will have to register a phone number first (and you will have to permit that option) before they can then add an Authenticator app, if that is an option.
We think asking users to do this extra step is worth the increased reliability and improved experience. If this doesn’t make sense for your team, please let us know.
Let's get started
Configuring your environment
To start using 2SV in your Workspace, you'll need to do the following:
When you are ready to do so, enabling MFA on Google Workspace by following the steps below:
Go to the 2-Step Verification page in the Google Admin dashboard.
Configure the details of your MFA deployment:
Under Enforcement, select "On" or "On from <Date>", as appropriate
Under Methods, choose the option appropriate for your team (Not sure? We recommend "Any except verification codes via text, phone call")
Hint: where available, and where they are the sole user of the device, you should "Allow the user to trust the device” so they only get prompted once a month or similar. Reducing the volume of MFA prompts will greatly reduce the chance of a user accepting prompts they didn't initiate.