If you do only one thing on this list, enforce 2-Step Verification. The vast majority of account takeovers start with a stolen or guessed password, and a second factor stops nearly all of them. The trick is rolling it out so it protects everyone without locking out the people who haven't enrolled yet—so we'll do that carefully.

A note on editions

2-Step Verification and enforcement are available on every Google Workspace edition—including Business Starter—and on free Gmail accounts. A couple of extras (Context-Aware Access, automatic Advanced Protection enrollment) require Enterprise editions; we flag those as we go.

You'll work in two places:

  • Admin console admin.google.com — where you set policy for everyone.
  • Personal account page myaccount.google.com — where each user enrolls.

1. Know the methods (strongest to weakest)

Not all second factors are equal. Steer people toward the top of this list and away from the bottom.

  • Passkeys & security keys (FIDO2—hardware keys like Titan or YubiKey, or a passkey on a phone or laptop): phishing-resistant, and the gold standard—especially for admins.
  • Google prompt: a tap-to-approve push notification on a signed-in phone. Strong and easy.
  • Authenticator app (Google Authenticator or any TOTP app): six-digit codes that work even offline.
  • Backup codes: one-time codes for when a phone is lost—everyone should generate and store a set.
  • Text message or voice codes: better than nothing, but the weakest—vulnerable to SIM-swapping and interception. Avoid where you can.

A good target: everyone on Google prompt or an authenticator app at minimum, and admins and sensitive roles on passkeys or hardware security keys.

2. Roll it out without locking anyone out

Flipping enforcement on before people have enrolled will lock them out of their accounts. Do it in this order instead:

  1. Turn on "Allow users to turn on 2-Step Verification."
  2. Announce it, and ask everyone to enroll now.
  3. Give a grace period—a week or two—and track who's done it (step 9).
  4. Once nearly everyone is enrolled, switch Enforcement to On.
  5. Set a new-user enrollment period so future hires get a few days to enroll before they're locked in.

3. Turn on & enforce 2-Step Verification

Go to admin.google.com → Security → Authentication → 2-Step Verification.

  1. Check Allow users to turn on 2-Step Verification.
  2. Set Enforcement to On—or On from date to schedule it for after your grace period.
  3. Set a New user enrollment period (a week is reasonable).
  4. Apply to the whole organization, or scope it by organizational unit or group—handy for enforcing admins first, then everyone else.

4. Ban the weak methods (SMS & voice)

On that same screen, set the allowed Methods:

  • For most users, choose "Any except verification codes via text message and phone call." That keeps SMS off the table while still allowing prompts, authenticator apps, and keys.
  • For your most sensitive group, choose "Only security key" (which includes passkeys).
  • Consider turning off "Allow user to trust the device" for sensitive groups, so they're re-prompted more often instead of staying trusted for months.

5. Lock down admins with passkeys

Super admin accounts are attacker target number one—one of them is the keys to the whole kingdom. Treat them differently:

  • Enroll every admin with a passkey or hardware security key before you roll out to anyone else.
  • Put admins in an organizational unit or group enforced to "Only security key."
  • Keep at least two super admin accounts, each with its own key and recovery set up, so a single lost device can't lock you out of the entire tenant.

6. Set up recovery & backup codes

The most common 2SV problem isn't attackers—it's a staff member who lost their phone. Plan for it.

  • Have everyone generate backup codes at myaccount.google.com → Security → 2-Step Verification → Backup codes and store them somewhere safe (not a sticky note on the monitor).
  • For admins, set a recovery email and phone, and keep backup codes offline.
  • Decide your recovery policy. Many organizations disable self-service recovery and route resets through an admin, which blocks a common social-engineering path: admin.google.com → Security → Account recovery → turn off user/non-super-admin self-recovery if you want admins to handle it.
  • An admin can't see a user's 2SV secrets, but can turn off 2SV for a locked-out user (then have them re-enroll) or generate backup codes for them.

7. Close the back doors

MFA only helps if nothing routes around it.

  • Less secure app access is being retired by Google—confirm it's off so old username-and-password connections can't bypass 2SV.
  • App passwords sidestep 2SV by design. Discourage them; allow one only for a legacy device that genuinely can't do modern (OAuth) sign-in, and revoke it the moment it's no longer needed.

8. Advanced Protection for high-risk users (editions vary)

  • Advanced Protection Program is the strongest setting Google offers—it requires security keys or passkeys, blocks risky downloads, and limits third-party access to the account. It's ideal for executives, finance, and admins. You can point users to enroll themselves; Enterprise editions can auto-enroll a group.
  • Context-Aware Access (Enterprise) lets you add conditions—like a managed device or an approved location—to sign-in. It's Google's version of conditional access, and a natural next step once MFA is solid.

9. Track who's enrolled

Before you flip enforcement on, find the stragglers so nobody's surprised.

Go to admin.google.com → Reporting → Reports → User reports → Security. The Security report shows each user's 2-Step Verification Enrolled and Enforced status, so you can nudge the people who haven't set it up yet.

10. Help your users enroll

Make it easy—share these three steps with your team:

  1. Go to myaccount.google.com → Security → 2-Step Verification and select Get started.
  2. Add a phone (Google prompt) to begin, then add a stronger method—an authenticator app or, better, a passkey or security key.
  3. Generate and save your Backup codes.

Nudge everyone toward a passkey—it's the easiest strong option, it's phishing-resistant, and it works across their devices.

Your Google Workspace MFA checklist

  • Methods chosen: everyone on prompt/authenticator minimum, admins on passkeys/keys
  • 2-Step Verification allowed, then enforced (after a grace period)
  • New-user enrollment period set
  • SMS and voice codes disallowed ("Any except text/phone")
  • Admins enrolled with passkeys/security keys in a "security key only" group
  • At least two super admins, each with a key and recovery
  • Backup codes generated and stored safely
  • Account-recovery policy decided (admin-managed resets)
  • App passwords & less-secure access locked down
  • High-risk users on Advanced Protection
  • Enrollment tracked via the Security report

Google relabels and moves these settings from time to time, so a menu may sit a click away from where it's described here. The names in bold are stable search terms—if a path has moved, searching the admin console for it will get you there. Pair this with our guide on locking down Microsoft 365 email if you run both.