Connect with us

Hi, what are you looking for?


Identity & Access

G Suite Admins Can Now Disable Phone 2-SV

Google is making G Suite accounts more secure by allowing administrators to remove phone-based 2-step verification (2-SV) from the available multi-factor verification options.

Google is making G Suite accounts more secure by allowing administrators to remove phone-based 2-step verification (2-SV) from the available multi-factor verification options.

With the new policy in place, admins enforcing a second factor at login to improve the security of an account can prevent users from selecting 2-SV methods such as SMS and voice codes, which have been already deemed insecure.

“As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations,” Google says.

With additional control over the authentication methods used in their domain, administrators can now increase the security of user accounts and associated data, Google says.

To apply the new policy, G Suite admins need to access the Admin console and go to Security > Advanced security settings > Allowed two step verification methods.

Users enrolling in 2-step verification for the first time will have the option to set up Google Prompt or to ‘Choose another option,’ which lets them add a Security Key instead.

Users with phone 2-SV enabled won’t be able to log into their account when the change is made.

Advertisement. Scroll to continue reading.

Thus, Google advises admins to inform all users of the planned changes in due time, so they are able to switch to a different 2SV method by the time the new policy is enforced.

Users who haven’t made the switch by the enforcement date can be added to an exception group where 2SV isn’t enforced until they can add a 2SV method. This, however, is only a workaround, to avoid having users locked out of their accounts, and is not recommended as standard practice.

“Before setting this policy, tell your users to add and start using another 2SV method. Also inform them that they won’t be able to get 2SV verification codes on their phones after a specified enforcement date,” Google notes.

The new policy is gradually rolling out and should become available to all G Suite admins in the next 15 days. The policy, however, is not enabled by default and admins need to explicitly choose to apply it.

Related: Google Helps G Suite Admins Enforce Strong Passwords

Related: Google Makes Secure LDAP Generally Available

Related: Google Turns on G Suite Alerts for State-Sponsored Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.