Modified 07 March 2017 by Ian Weatherhogg

Google is starting to use login challenges to protect against suspicious logins to Google Apps in the fight against account hijackers.

Along with measures such as 2-Step Verification Google is continually improving security features to protect individuals and companies from attacks. Account hijacking is the practice of obtaining a valid user-id and password pair in to enable a bad-guy to access your account.

To combat this Google has rolled out login challenges:

“If we detect that an unauthorized person is attempting to access a user's account, we will present them with a Login Challenge that asks the person to verify their identity… we might send an SMS with a verification code to the user's phone and ask them to enter this code before we grant access to their account”

In order to utilise the SMS Code method Google needs to keep a record of a user’s mobile phone number. Therefore in recent weeks users have been offered the opportunity to add their verified mobile phone number via an Intersitial page. Other methods for verification are also offered. Google Apps administrators have options to temporarily disable login challenges for specific user accounts however it cannot be disabled across a whole domain.

We think login challenges are a great idea and should be appreciated as an effective method to combat the bad-guys.

Users with 2-Step Verification enabled will not be affected by this launch and will not see the interstitial to set up their phone number. Users logging in through SSO may see the interstitial to set up their phone number, but will not be challenged to verify their identity at this time. This feature will be slowly rolling out to Rapid and Scheduled release domains in the coming weeks.

See the help page for more information and a very good FAQ