Use this guide to restore access for a user who is locked out of their Google Workspace account because they failed to enroll in 2-Step Verification (2SV) before the enforcement deadline.

Description

This error occurs when the 2SV policy is set to "On" for an organization, but the specific user has zero verification methods enrolled. Generating backup codes acts as a "forced enrollment," satisfying the policy requirement immediately and allowing the user to sign in.

Prerequisites

• Google Workspace Admin Console access.

• The affected user's email address.

• A secure method to communicate the backup code to the user (e.g., phone call, personal email, SMS).

Instructions

1. Log in to the Google Admin Console.

2. Go to Directory > Users.

3. Click the row of the affected user to open their profile.

4. Scroll down and click Security.

5. Click 2-Step Verification.

   Note: The status will likely show "Not Enrolled," which is the cause of the lockout.

6. Click Generate backup verification codes.

   Important: Generating these codes automatically toggles the user's account status to "Enrolled," immediately satisfying the security policy.

7. Copy the codes displayed on the screen.

8. Provide the first code to the user securely.

9. Instruct the user to log in using their password and the backup code.

10. Warning: Direct the user to immediately go to myaccount.google.com > Security and add their phone number or authenticator app to prevent future lockouts once the backup codes run out.

Troubleshooting

• "Limit Exceeded" error: If the console refuses to generate codes, the user's account may be suspended due to suspicious login attempts.

  • Fix: Go to the user's main profile page and click Reactivate (if visible) or check Security > Login challenges to temporarily turn off identity verification.

• User cannot find where to enter code: Tell the user to click Try another way on the login screen if the default prompt is asking for a security key or phone prompt they don't have.