Google: Login challenge

Google employs several techniques and security algorithms in order to keep accounts safe. One such technique is known as a “login challenge”.

If you will be logging into your account from a different computer than usual, or from a different location then you might encounter one of these login challenges.

Before logging into your account you should always check that the login page is genuine, particularly if you have followed a link to access the login page.

When logging into a Google account the web address in your browser’s address bar should begin ‘https://accounts.google.com’. The browser should also display a locked padlock icon.

If this is not the case do not proceed. Instead please contact IT Support for advice:

What is a login challenge?

If Google detects something unusual or suspicious it may trigger a login challenge: an additional step that must be completed in order to login to the account.

This login challenge is designed to prevent unauthorised access to the account, even if the attacker has the correct password for the account.

To avoid being presented with a login challenge you can enable 2-Step Verification on your account:

What does Google consider a suspicious login?

For security, Google do not provide a full breakdown of what may trigger a login challenge. However, we have observed that the following may result in a login challenge:

  • Logging into your Google account on a computer that you have not signed into before
  • Logging into your Google account from a new location
  • Entering an incorrect password several times, before finally entering the correct one

However, there may be several other conditions that result in a login challenge being presented.

What information does the login challenge ask for?

We are aware that the following methods have been used as a login challenge by Google:

  • You are asked to enter your mobile phone number so that you can be sent a code by SMS text message. You must type this code in to complete the login challenge.
  • You are presented with the last few digits of your phone number (if you have previously registered a recovery phone number to your Google account) and you are offered the option to receive a code by SMS text message or automated phone call. You must type this code in to complete the login challenge.
  • If you are already signed into some Google apps on your smartphone you may be asked to open a particular app and tap on specific number on the phone.

However, this list might not be complete and Google may also be using other login challenge methods. Google choose which login challenge is presented based on several factors, but they do not make this information public.

What should I do if I encounter a login challenge?

If you are presented with a login challenge after entering your email address and password the quickest way for you to access your account is to follow the on screen steps to complete the login challenge.

What if I cannot complete the login challenge?

There are scenarios where you may be unable to complete a login challenge in order to access your account, eg:

  • You do not have your mobile phone with you
  • You do not wish to provide Google with your phone number

During working hours (9am - 5pm, Monday to Friday) you can contact IT Support:

Providing that IT Support are able to verify your identity over the phone we can arrange for the login challenge to be temporarily disabled for 10 minutes by one of our Google Admins. This will then allow you to login without being presented with a login challenge.

Can login challenges be permanently disabled on my account?

No, these cannot be disabled permanently. They can only be disabled temporarily for up to 10 minutes by one of our Google Admins.

Can I avoid being presented with a login challenge?

Logging into your account on a device you have used previously means you are less likely to be presented with a login challenge, but this is not guaranteed.

The only way to avoid being presented with a login challenge is to enable 2-Step Verification on your account:

2-Step Verification offers additional protection for your account; even if someone has managed to get hold of your password they still cannot login without the additional security step.

2-Step Verification can be enabled without giving Google your phone number.

To achieve this, choose Security key or Google prompt as your second verification step, and Backup codes or Security key as your backup step.