Securing your Google Workspace accounts

Securing your Google Workspace accounts

Your Google Workspace admin account can reach everything. Lock it down before real work starts, then set the same baseline for everyone.

Step 1: Turn on 2-step verification

    Admin Console → Security → Authentication → 2-Step Verification.
    Set it to Enforcement (not just "Allow").
    Choose a start date (immediate is fine for a new account).
Methods, best first:
  • Authenticator app (Google Authenticator, Authy): secure, works offline.
  • Security keys (YubiKey and similar): strongest, phishing-resistant.
  • SMS: fallback only, weakest (SIM-swap risk) but better than nothing.

Step 2: Add passkeys

Passkeys replace passwords with something phishing-resistant and quicker to use, and they're where authentication is heading.
Enable for the organisation: Admin Console → Security → Authentication → Passwordless → turn On. Set enforcement to Required for the strongest setup, or Optional to let people opt in.
Each user adds a passkey at  myaccount.google.com/security Passkeys, per device.

Step 3: Set recovery options

Recovery is what stops a lockout becoming a disaster, especially for the admin account.
  • Recovery email: an external address, not @yourorg.org, so you're not locked out if Workspace itself has issues.
  • Recovery phone: a number your team can reach.
  • Recovery codes: generate and store them in your password manager.
  • A second super admin: create one for another trusted person, so no single account is a single point of failure.

Step 4: Set baseline policies

Admin Console → Security → Security settings:
  • Session timeout (8 hours is reasonable).
  • Block less secure apps.
  • Require a password change on first sign-in.
Password rule
Recommended
Minimum length
12 characters
Special characters
Required
Reuse
Block last 24
Expiry
180 days (optional)

Step 5: Let users set a profile photo

Photos help people recognise each other in Gmail and Meet. Enable editing in Admin Console → Directory → Directory settings → Profile editingPhoto. If photos don't appear on Calendar or booking pages, see the profile-photo fix in  Setting up Google Workspace .

One level up: single sign-on (SSO)

Once the basics are in place, you may want staff to sign into other tools (Slack, Asana) with their Google account instead of a separate password each. There are real trade-offs. We've written them up:  SSO, yes or no? 

Common issues

Locked out of the admin account. Use recovery codes, then the recovery email or phone. A second super admin can restore access, which is why Step 3 matters.
Lost 2FA device. Use backup codes, sign in via recovery phone or email, or have the second super admin temporarily disable 2FA, then re-enable it.
Passkey won't work on a new device. Passkeys are per-device. Add the new device's passkey while signed in on an existing one, or use a backup method.

Puzzle Piece A Moral Fabric pattern, free for any nonprofit to use and adapt.