Connect with us

Hi, what are you looking for?


Identity & Access

Google Allows G Suite Users to Log In With Security Codes

Google on Tuesday announced that G Suite users can now log in on platforms that don’t directly support security keys using security codes generated by their security keys.

Google on Tuesday announced that G Suite users can now log in on platforms that don’t directly support security keys using security codes generated by their security keys.

Security keys, which are two-factor authentication (2FA) devices, are considered highly efficient for protecting accounts against phishing and other types of threats. However, they often don’t work on legacy platforms that do not support FIDO protocols or applications such as Internet Explorer, Safari and iOS apps.Security keys

G Suite administrators and end users can now use their security keys to log in on platforms that cannot communicate with a security key directly. If the new feature is enabled, users will see a “Having trouble” or “Try another way” option on the 2-step verification (2SV) page. If they select one of these options, they will be allowed to either use their security key directly (if supported) or obtain a one-time security code that they can use to log in.

The security code process involves connecting the security key to a compatible system and visiting a specific URL from where they can obtain the one-time code that must be entered in the uncompatible service.

“For example, a user may need to access a web application that federates their Google identity, but only works on Internet Explorer 11. While the browser can’t communicate with a security key directly, the user can open a Chrome browser and generate a security code, which can then be entered in Internet Explorer to gain access to the application,” Google explained in a blog post.

G Suite security code

On domains that enforce the “Only security key” policy (i.e., they only allow logins with a security key), the new feature can be enabled by admins by accessing Admin Console > Security > Advanced security settings and selecting “Users may utilize security code.” The new feature is being rolled out gradually over a period of up to 15 days for these domains starting with July 8.

The feature will be enabled by default on domains that enforce “Any” or “Any except verification codes via text, phone call” policies. The rollout has already started for these domains and it will take up to 15 days.

Related: Google Turns on G Suite Alerts for State-Sponsored Attacks

Advertisement. Scroll to continue reading.

Related: Google Warns G Suite Customers of Passwords Stored Unhashed Since 2005

Related: Hackers Bypass MFA on Cloud Accounts via IMAP Protocol

Related: Google Helps G Suite Admins Enforce Strong Passwords

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.