2-Step Verification

A user might decide on their own to turn on 2-Step verification for their Google Account.

After 2-step verification is enabled

During the OAuth 2.0 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. Once issued, the refresh token can be used to generate the access token needed in API calls.

Existing refresh tokens

A refresh token that was issued before the user enabled 2-step verification remains valid after the user enables 2-step verification. The refresh token can be used to issue valid access tokens as usual.

An account administrator can require all users of a Google Ads account to enable 2-step verification on their Google Account.

User enables 2-step verification

During theOAuth 2.0 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. Once issued, the refresh token can be used to generate the access token needed in API calls.

User doesn't enable 2-step verification

During the authentication flow, the user won't see the 2-step verification prompt. This experience is independent of any settings on the Google Ads account.

Once issued, the refresh token can be used to issue access tokens. However, the API calls made using this access token will fail with a TWO_STEP_VERIFICATION_NOT_ENROLLED error until the user enables 2-step verification in their Google Account.

Existing refresh tokens

This rule applies to refresh tokens issued prior to the 2-step verification requirement as well—the refresh token can be used to generate access tokens, but API calls made with these access tokens will fail with a TWO_STEP_VERIFICATION_NOT_ENROLLED error until the user enables 2-step verification in their Google Account.

In some cases, Google might require all users of a Google Ads account to enable 2-step verification on their Google Account.

After 2-step verification is enabled

During the OAuth 2.0 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. This experience is independent of whether Google opted in the Google Ads account to require all its users to enable 2-factor verification.

Once issued, the refresh token can be used to generate the access token needed in API calls as usual.

Existing refresh tokens

A refresh token that was issued before the user enabled 2-step verification remains valid after the user enables 2-step verification. The refresh token can be used to issue a valid access token as usual.

API calls made using this access token won't encounter the TWO_STEP_VERIFICATION_NOT_ENROLLED error because the 2-step verification opt-in was initiated by Google and not by the Google Ads account administrator.