This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Difficulty with backup codes

sleeciambra
New Contributor II

‎04-01-2024 09:35 AM

I'm setting my staff up with 2FA one department at a time. I have some staff who prefer not to use their phone and prefer not to have a yubikey so they generated backup codes to turn on 2FA. It worked for several people so far, then I had two staff members who couldn't do it. When they click on "show more options" it only gives them the option of selecting a security key or Google prompt. I spent hours talking to Google support, and they said that you cannot generate backup codes without inputting a phone number first. I'm aware that it is true as an admin in GAC, but this was from within the person's account and I watched several people do it. I could also recreate it for support using a test account. All of my staff are in the same OU, and I'm stumped. Has anyone else ever encountered this? Is Google support right and the people who can do it are the anomalies? Any help is appreciated. 

Topics:
0 Kudos
Reply
4 REPLIES 4

NielsBrockmeier
Contributor

‎04-01-2024 10:30 PM

Yep same issue here, we have set them up with the main phone number of our school. After they created backup codes we removed the phone number from their profile and they went on their merry way. It's annoying but for the handful that didn't want to use their phone number only half had this issue so this was the easiest setup. However in the end most did eventually end up adding their phone number when they noticed the problems of not generating backup codes in time and losing the paper with them on it from their wallet.

Reply

Kim_Nilsson
Admin Moderator

‎04-02-2024 06:48 AM

You can create the first set of backup codes for them!

Go to their user card in the admin console and add your Yubikey to their account.

Or if you have Forced 2FA, you don't need to add your Yubikey, you can just click to create a number of codes.

As soon as they have a bunch of codes, they can log in and create new codes for themselves.

Make sure to tell them they have to create new codes well in advance, as your job isn't to create new codes for them.

--
https://wheretofind.me/@NoSubstitute
Reply

sleeciambra
New Contributor II

‎04-18-2024 10:02 AM

Thanks for your replies, I appreciate it.

I learned an interesting thing today. The people who can't get backup codes are people who don't have their email on another device. I happen to be one of them (I only have my work email on my work computer) so today I did a test. I added my work email to the gmail app on my phone. Then I went back to my work computer and was able to generate backup codes instead of putting in a phone number. Even after I removed the email from my phone, the account continued to be enrolled in 2FA and still requires a backup code to sign in. 

It's a workaround, not a solution, but I do feel better now that I understand why different accounts behave differently.

Reply

Kim_Nilsson
Admin Moderator
In response to sleeciambra

‎04-19-2024 12:33 AM

With forced 2FA on first logon it's not possible to add the account on a second device.

So having an admin create the backup codes is still the best solution to get a new person up and running, without compromising security.

--
https://wheretofind.me/@NoSubstitute
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines