Manage a user's security settings

If you have the legacy complimentary edition of M Suite, upgrade to Google Workspace to get this characteristic.

As an ambassador for your organisation'southward Google Workspace or Cloud Identity service, you lot can view and manage security settings for a user. For example, you lot can reset a user'southward password, add or remove security keys for multi-cistron authentication, and reset user sign-in cookies.

Open user security settings

  2. From the Admin console Home page, go to Users.
  3. In the Users list, detect the user.

    Tip: To detect a user, you lot can likewise type the user'south proper noun or email address in the search box at the top of your Admin panel. If y'all need assist, come across Find a user account.

  4. Click the user's name to open their account page.
  5. Click Security.


    Find the security section close to the top of the details

  6. View or manage the user's security settings by following the steps below.

View and manage user security settings

Open all   |   Shut all

Reset a user's password

View, add, or remove security keys

A security primal is a small device that lets you sign in to a Google Account using 2-Step Verification. Of all the 2SV methods supported by Google, a security key is the near secure. It plugs into your computer'southward USB port or connects to your mobile device using NFC or Bluetooth. Learn more

If a security key is in use for this user, click the Security keys section to see when the key was added and concluding used.

Add a cardinal

You can add a security cardinal for a user, or they can add their own keys.

  • Users can add their own keys past following the instructions in Add a security central to your Google Account.
  • To add together a key for the user:
    1. Click in Security keys to display the add push button.
    2. ClickAdd together Security Key.
    3. Follow the on-screen instructions.

      Notation: if you have a security key plugged in to your computer, remove your central before registering a new key for a user.

    4. Click Done.

Remove a key

Remove a security key but when the key is lost. If a key is temporarily unavailable, you tin generate backup security codes as a temporary workaround. Encounter Get backup verification codes for a user below.

  1. Click in Security keys to display the key information table.
  2. Whorl the tabular array all the way to the right.
  3. Hover over the table line for the key you want to remove to display the ""at correct.
  4. Click""and thenRemove.
  5. Click Done.

    The Admin audit log adds an entry each fourth dimension yous revoke a security fundamental.

Notation: Y'all can crave users to use security keys with two-Step Verification.

Check two-Step Verification settings

Only the user tin turn on two-Stride Verification (2SV). Equally admin, you tin can bank check a user's current 2-stride verification setting and if necessary get a fill-in lawmaking for a locked-out user.

The ii-step verification section shows whether 2SV is turned on for the user, and whether 2SV is currently enforced across your organization.

  • Yous have the selection of turning off 2SV for a locked-out user, but this isn't recommended. Instead, get a backup code for the user to permit them to sign in to their account.

    Notation: You can't turn off 2SV for a user if their account is suspended.

  • If 2SV is enforced across your arrangement, the choice to turn off 2SV for an individual user is disabled.

Go backup verification codes for a user

Users who temporarily can't admission their 2nd authentication method may go locked out. For example, a user may have left their security key at domicile, or can't receive an access lawmaking by phone. For these users, you can generate backup verification codes to allow them to sign in.

  1. To view the user's backup verification codes, clicktwo-Step Verification and then  Get backup verification codes.
  2. Copy one of the existing fill-in codes or generate new codes. Annotation: select Get new codes If you think the existing backup codes were stolen or accept been used up. The one-time set of backup codes automatically become inactive.
  3. Tell your user to follow the instructions in Sign in using backup codes.

If the user is required to use a security primal for two-step verification, you'll see the grace menses that's left before they need to apply their security fundamental to sign in.

Force a password change

If you suspect that the user'south password has been stolen, you can forcefulness the user to reset their countersign when they adjacent sign in.

  1. Click Require password modifyand then Turn on"".
  2. Click Washed.

Afterward the user resets their password, this setting is automatically set to Off.

Edit a user'due south recovery information

If Google suspects an unauthorized endeavour to sign in to a user's account, a login challenge appears before access to the business relationship is granted. The user must either:

  • Enter a verification code that Google sends to their recovery phone number or recovery email address (an email accost outside your organization).
  • Answer a claiming that only the business relationship possessor can solve.

To add or edit a user'due south recovery information:

  1. Click Recovery information.
  2. Add or edit either of the following:
    • Email address (outside of your system)
    • Recovery phone number

      Notation: Recovery phone should be unique for each user. If the same recovery phone number is used by multiple users, that number is automatically blocked for security reasons.

  3. Click Save.

Temporarily turn off a login challenge

If Google suspects an unauthorized attempt to sign in to a user's account, a login claiming appears before access to the account is granted. The user must enter a verification code that Google sends to their phone. Or, the user can choose to answer another challenge that only the account owner tin solve.

If the authorized user can't verify their identity, you tin briefly plow off the login challenge to allow the user to sign in:

  1. Click Login Challenge and thenPlough off for 10 mins.
  2. Click Done.

Reset the user's sign-in cookies

If a user loses their computer or mobile device, you tin help forbid unauthorized access to their Google Account by resetting their sign-in cookies. This signs the user out of their Google Account (including whatsoever Google Workspace applications) across all devices and browsers.

Note: If you suspended a user, you don't need to do this. Suspending a user resets their sign-in cookies.

If you accept prepare single sign-on (SSO) using a third-party identity provider (IdP), the user's SSO session may nonetheless permit access to their Google Account after resetting their sign-in cookies. In this case, terminate their SSO session before resetting their Google sign-in cookies. For aid with SSO management, contact your IdP support team.

To reset the user's cookies:

  1. Click Sign-in cookies and then Reset.
  2. Click Done.

It can take up to an hour to sign the user out of current Gmail sessions. The time for other applications tin can vary.

View and revoke application-specific passwords

If your users utilise use ii-step verification and demand to sign in to apps or devices that don't take verification codes, they need awarding-specific passwords to access those apps. Larn  more about application specific passwords.

Whatsoever apps for which the user has created app passwords are listed in the Awarding-specific password section. Annotation: If no app passwords are in apply, this section is inactive.

Click an app name to see information on when the password for that app was created, and when information technology was last used.

You should revoke an app password if a user loses a device or stops using an app that was authorized with that password.

  1. Click in the Application-specific password section to view apps using app passwords.
  2. Mouse over an app proper noun and click"" at correct.
  3. Click Revoke.
  4. Click Done.

Your users can too revoke their ain app passwords.

View and remove access to third-party applications

The Connected applications section lists all the tertiary-political party applications (for example, Google Workspace Market place apps) that have admission to this user's Google Account data. Learn how authorized access works.

Note: If no 3rd-party applications have been installed, this section is inactive.

Click an awarding name to see more than information:

  • The Access level cavalcade shows the user data that the application tin can access. A user can grant full or partial access to Google data.
  • The Authorization date column shows when the awarding was granted data access.

To temporarily remove an app's access to data:

  1. Mouse over an app name and click"" at right.
  2. Click Remove.
  3. Click Done.

Note: Removing data access for an app doesn't prevent a user from using the app in the time to come (if the user has the necessary permissions). Once a user signs into the app once more, data access is restored. To permanently restrict user admission to applications, you lot can block access to specific application scopes, and fix a whitelist of approved apps for your organization.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other visitor and product names are trademarks of the companies with which they are associated.

Was this helpful?

How tin we better it?