Problem
By default, new Google Workspace tenants now enforce required 2-Step Verification (2SV) for all users. Users are only given one week to enable and set up 2-Step Verification from the date of their account creation, which can create serious headaches in a situation like migrating to Google Workspace (where users might not have access within a week of their account creation to set up 2-Step Verification).
Before the 1 week enrollment period ends, users are presented with a “speedbump” where they’re prompted to configure 2-Step Verification. However, users may choose to ignore the speedbump and continue without setting up 2-Step Verification. When that happens and the enrollment period lapses, a cryptic error will appear at sign-in:
This error is already confusing, and considering it prevents end-users from signing into Google Workspace, can be frightening for users too. To make matters worse, the Admin Console doesn’t have any indication that the user’s 2SV enrollment period lapsed, nor does it provide an obvious solution.
Solution
Naturally, it’s not possible for admins to configure most 2SV factors on behalf of end users. However, the one factor that admins can configure on behalf of users is backup codes. This is exactly what needs to be done to recover the end-user account and allow the user to log in.
In the Google Workspace Admin Console, find the end-user’s Google Workspace account, and select the “Security” card. Under 2-Step Verification, there’s a button to “Get Backup Verification Codes”. Clicking this button will enable 2SV on the end-user’s account (preventing the account’s login from being blocked by the org-wide 2SV enforcement policy), and it will also immediately provide a set of codes that the user can enter at the 2SV prompt when they attempt to log in.
Once the backup codes have been retrieved, the user will see a new interface at login:
Provide the user with a backup code, and they should be able to enter it at the 2SV prompt and log in successfully. Note that users may not be prompted to set up another 2SV factor (like a security key or Google Prompt), so they should be reminded to do so after signing in successfully – that way, you won’t have to get backup codes for them every time they try to log in!