Manage a user's security settings

As an administrator for your organization's Google Workspace or Cloud Identity service, you can view and manage security settings for a user. For example, you can reset a user's password, add or remove security keys for multi-factor authentication, and reset user sign-in cookies.

Open user security settings

  2. In the Admin console, go to Menu"" and then ""Directory and then Users.
  3. In the Users list, find the user.

    Tip: To find a user, you can also type the user's name or email address in the search box at the top of your Admin console. If you need help, see Find a user account.

  4. Click the user's name to open their account page.
  5. Click Security.


    Find the security section close to the top of the details

  6. View or manage the user's security settings by following the steps below.

View and manage user security settings

Expand all  |  Collapse all

Reset a user's password

View, add, or remove security keys

A security key is a small device that lets you sign in to a Google Account using 2-Step Verification. Of all the 2SV methods supported by Google, a security key is the most secure. It plugs into your computer's USB port or connects to your mobile device using NFC or Bluetooth. Learn more

If a security key is in use for this user, click the Security keys section to see when the key was added and last used.

Add a key

You can add a security key for a user, or they can add their own keys.

  • Users can add their own keys by following the instructions in Add a security key to your Google Account.
  • To add a key for the user:
    1. Click in Security keys to display the add button.
    2. ClickAdd Security Key.
    3. Follow the on-screen instructions.

      Note: if you have a security key plugged in to your computer, remove your key before registering a new key for a user.

    4. Click Done.

Remove a key

Remove a security key only when the key is lost. If a key is temporarily unavailable, you can generate backup security codes as a temporary workaround. See Get backup verification codes for a user below.

  1. Click in Security keys to display the key information table.
  2. Scroll the table all the way to the right.
  3. Hover over the table line for the key you want to remove to display the ""at right.
  4. Click""and thenRemove.
  5. Click Done.

    The Admin audit log adds an entry each time you revoke a security key.

Note: You can require users to use security keys with 2-Step Verification.

Check 2-Step Verification settings

Only the user can turn on 2-Step Verification (2SV). As admin, you can check a user's current 2-step verification setting and if necessary get a backup code for a locked-out user.

The 2-step verification section shows whether 2SV is turned on for the user, and whether 2SV is currently enforced across your organization.

  • You have the option of turning off 2SV for a locked-out user, but this isn't recommended. Instead, get a backup code for the user to allow them to sign in to their account.

    Note: You can't turn off 2SV for a user if their account is suspended.

  • If 2SV is enforced across your organization, the option to turn off 2SV for an individual user is disabled.

Get backup verification codes for a user

Users who temporarily can't access their second authentication method may get locked out. For example, a user may have left their security key at home, or can't receive an access code by phone. For these users, you can generate backup verification codes to allow them to sign in.

  1. To view the user's backup verification codes, click2-Step Verification and then  Get backup verification codes.
  2. Copy one of the existing backup codes or generate new codes. Note: select Get new codes If you think the existing backup codes were stolen or have been used up. The old set of backup codes automatically become inactive.
  3. Tell your user to follow the instructions in Sign in using backup codes.

If the user is required to use a security key for 2-step verification, you'll see the grace period that's left before they need to use their security key to sign in.

Force a password change

If you suspect that the user's password has been stolen, you can force the user to reset their password when they next sign in.

  1. Click Require password changeand then Turn on"".
  2. Click Done.

After the user resets their password, this setting is automatically set to Off.

Note: If your organization uses SSO through a third-party IdP, the force a password change setting isn't available unless you use a network mask to allow some users to sign in directly to Workplace. To check whether a network mask is set up, go to Security and then SSO with third-party IDPs and then SSO profile for your organization.

Edit a user's recovery information

If Google suspects an unauthorized attempt to sign in to a user's account, a login challenge appears before access to the account is granted. The user must either:

  • Enter a verification code that Google sends to their recovery phone number or recovery email address (an email address outside your organization).
  • Answer a challenge that only the account owner can solve.

To add or edit a user's recovery information:

  1. Click Recovery information.
  2. Add or edit either of the following:
    • Email address (outside of your organization)
    • Recovery phone number

      Note: Recovery phone should be unique for each user. If the same recovery phone number is used by multiple users, that number is automatically blocked for security reasons.

  3. Click Save.

Temporarily turn off a login or verify-it's-you challenge

If Google suspects an unauthorized attempt to sign in to a user's account, a login challenge appears before access to the account is granted. The user must enter a verification code that Google sends to their phone. Or, the user can choose to answer another challenge that only the account owner can solve.

Also, if a Google Workspace user attempts a sensitive action, that user is sometimes presented with a verify-it's-you challenge. If the user can't enter the requested information, Google will disallow the sensitive action.

If the authorized user can't verify their identity, you can turn off the login or verify-it's-you challenge for 10 minutes to allow the user to sign in.

Reset the user's sign-in cookies

If a user loses their computer or mobile device, you can help prevent unauthorized access to their Google Account by resetting their sign-in cookies. This signs the user out of their Google Account (including any Google Workspace applications) across all devices and browsers.

Note: If you suspended a user, you don't need to do this. Suspending a user resets their sign-in cookies.

If you have set up single sign-on (SSO) using a third-party identity provider (IdP), the user's SSO session may still allow access to their Google Account after resetting their sign-in cookies. In this case, terminate their SSO session before resetting their Google sign-in cookies. For help with SSO management, contact your IdP support team.

To reset the user's cookies:

  1. Click Sign-in cookies and then Reset.
  2. Click Done.

It can take up to an hour to sign the user out of current Gmail sessions. The time for other applications can vary.

View and revoke application-specific passwords

If your users use use 2-step verification and need to sign in to apps or devices that don't accept verification codes, they need application-specific passwords to access those apps. Learn  more about application specific passwords.

Any apps for which the user has created app passwords are listed in the Application-specific password section. Note: If no app passwords are in use, this section is inactive.

Click an app name to see information on when the password for that app was created, and when it was last used.

You should revoke an app password if a user loses a device or stops using an app that was authorized with that password.

  1. Click in the Application-specific password section to view apps using app passwords.
  2. Mouse over an app name and click"" at right.
  3. Click Revoke.
  4. Click Done.

Your users can also revoke their own app passwords.

View and remove access to third-party applications

The Connected applications section lists all the third-party applications (for example, Google Workspace Marketplace apps) that have access to this user's Google Account data. Learn how authorized access works.

Note: If no third-party applications have been installed, this section is inactive.

Click an application name to see more information:

  • The Access level column shows the user data that the application can access. A user can grant full or partial access to Google data.
  • The Authorization date column shows when the application was granted data access.

To temporarily remove an app's access to data:

  1. Mouse over an app name and click"" at right.
  2. Click Remove.
  3. Click Done.

Note: Removing data access for an app doesn't prevent a user from using the app in the future (if the user has the necessary permissions). Once a user signs into the app again, data access is restored. To permanently restrict user access to applications, you can block access to specific application scopes, and set up a whitelist of approved apps for your organization.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?