Control session length for Google services on the web
What’s new: To protect your organization’s data, we automatically sign any G Suite user out of Google services they’re using on the web (like Gmail and Drive) after two weeks. We’ve heard, however, that some organizations need different durations for different use cases. For instance, if users access work data outside their corporate network, a shorter session length may be warranted. In other cases, a longer session length may be appropriate, and not requiring users to continually enter their password makes for a much better experience.
That’s why we’re giving G Suite Business, Enterprise, and Education admins the ability to specify the duration of web sessions for Google services (e.g. four hours, seven days, or infinite). Unless a user logs out on their own beforehand, they’ll be automatically signed out at the end of that duration and prompted to re-enter their login credentials.
These settings apply to all desktop web sessions, as well as some mobile browser sessions. Native mobile apps, like Gmail for Android and iOS, aren’t impacted by these settings. These settings also only apply to domains where Google is responsible for the login (i.e. where Google is the Identity Provider), and not to domains that federate to another Identity Provider using SAML. Support for these domains will be added in the future.
For more information on specifying session duration for Google services, please see the Help Center.
2-step verification (2SV) frequency
When a user logs into their G Suite account today, they’re given an option to “Remember this computer.” When this box is checked, they’re not prompted for their second factor—even if they log out of their Google session and log back in.
As part of this launch, we’re giving all admins the option to show their users this checkbox or have them presented with a 2SV challenge every time they enter their password.
When “Allow the user to trust the device at 2-step verification” is selected, the checkbox will be displayed. This is the default. When “Do not allow the user to trust the device at 2-step verification” is selected, the user will be forced to undergo a 2SV challenge every time they sign in. These settings can be found in the Admin console under Security > Advanced settings. They have no impact on users who aren’t enrolled in 2SV.