With this launch Google is adding an option to restrict the use of codes to the same device or network that they were generated on.
Admins and end users
Why you’d use it
Since Google introduced security codes in June 2019, the company observed that they’re most commonly used with applications that use legacy authentication on devices that are capable of supporting Chrome or other browsers that allow security keys. The new restricted security code option allows that use case to be satisfied while reducing some potential vulnerabilities. Unrestricted codes will still be available for users who need them (such as those using remote servers or virtual machines).
How to get started
Admins: Customers can turn this feature on at Admin console > Security > Advanced security settings. Use Google’s Help Center to find out more about security codes.
End users: No action needed.
Three security code settings available to G Suite admins
With this launch, there will be three options for security codes:
- Don’t allow users to generate security codes. Users can’t generate security codes. This was previously available, and was the default setting.
- Allow security codes without remote access. Users can generate security codes and use them on the same device or local network (NAT or LAN). This is a new option, and replaces the don’t allow security codes as the default setting for new G Suite customers.
- Allow security codes with remote access. Users can generate security codes and use them on the same device or local network (NAT or LAN), as well as other devices or networks, such as when accessing a remote server or a virtual machine. The earlier version of security codes was effectively the same as this.
No impact to existing users
This launch won’t change the user experience unless an admin changes a setting in the Admin console. Specifically,
- Users who are currently assigned “Don’t allow security codes” will now be assigned “Don’t allow users to generate security codes” and will still not be able to use security codes.
- Users who are currently assigned “Allow use of security codes,” will now be assigned “Allow security codes with remote access” and will be able to use security codes in the same way as before.
Security codes and the Advanced Protection Program for the enterprise
You can control security code use separately for your users in the Advanced Protection Program for the enterprise. Security code settings for those users are determined by controls at Admin console > Security > Advanced Protection Program. Settings for security code use here will override regular settings for those users. Read more about the Advanced Protection Program for the enterprise.
- Rapid Release domains: Gradual rollout (up to 15 days for feature visibility starting on December 4, 2019.
- Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility starting on December 4, 2019.
G Suite editions
- Available to all G Suite editions.
On/off by default?
- This feature will be OFF by default and can be customized on the domain, OU, or group level.