- An administrator or user loses their security key.
- A user loses their phone and can't generate 2SV codes.
- A user doesn’t enroll in 2SV by the end of the new user enrollment period.
- A newly created user can't sign in to their account to set up 2SV.
Important: Google is enforcing 2SV for administrator accounts. For details, go to About 2SV enforcement for admins .
Prepare for account recovery
- Administrators should have a spare security key—Admins should enroll more than one security key for their admin account and store it in a safe place.
- Save backup codes ahead of time—Super administrators should generate and print backup codes for other admins in their organization, in case they’re needed in the future. Keep backup codes in a secure location.
- Generate codes for a user—If a locked-out user doesn't have backup codes, admins with the User management privilege can generate codes for them. For details, go to User account on this page.
- Set up an additional super administrator—If an admin can’t sign in to their account, a super administrator can generate backup codes for them.
- If security keys are required, set up a grace period—When you set up enforcement for 2SV, set up a grace period. Users can enter an admin-generated backup code for 2SV during the grace period. If 2SV is enforced in Only security keymode, users cannot generate their own backup codes. For details, go to Deploy 2-Step Verification .
Use backup codes for account recovery
If you need to recover an account, use backup codes. Accounts are still protected by 2SV, and backup codes are easy to generate. If you move users into a configuration group or change their organizational unit and 2SV isn’t required, their accounts are no longer protected by 2SV. For more details, go to Avoid account lockouts when 2-Step Verification is enforced .
Note: Only super administrators can generate backup codes for another admin account. To generate backup codes for a user account, an admin must have the User management privilege .
Recover an account
Watch the video
Recover an account protected by 2-Step Verification
Recover a user account
You can only access 2SV settings for a user and complete these steps if 2SV is currently enforced for your organization or the user turned on 2SV for their account.
To complete these steps, you need the appropriate User management privilege . Without the correct privilege, you won't see all the controls needed to complete these steps.
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Go to Menu Directory > Users .
- From the Userslist, click the username you want.
Summary information about that user is shown. If you need help, go to Find a user account . - Click Security.
- Click 2-step verification.
- Click Get Backup Verification Codes.
- Copy one of the verification codes.
- Send the backup code to the user in an IM or text message.
The user can sign in to their account using a password and the backup code.
- Ask a super administrator at your company to generate backup codes, as described in User account on this page.
- If a super administrator isn’t available, follow the instructions in Recovering administrator access to your account .
About using a secondary username for account recovery
In some cases, you can use a secondary username to recover your account. This practice is discouraged because it’s not secure. If the secondary username isn’t covered by 2SV, it can be compromised—and so can your administrator account.
If your company has 3 or more super administrators or more than 500 users, you can’t use a secondary username for account recovery (it’s disabled).
