# 20 Break-glass admin + offline backup codes

> DRAFT · v0.1.3 · role: Recover · [policy: #3 · #11](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

A separate admin account, used only in an emergency, whose credential and printed single-use backup codes are held offline. It is kept out of any third-party SSO profile, so an IdP outage or compromise cannot lock you out of your own tenant, and every sign-in to it is alerted on — an account that is never used has no legitimate login. It is the recovery path for every other control here that can lock you out.

Documentation: [Security best practices for administrator accounts](https://knowledge.workspace.google.com/admin/users/security-best-practices-for-administrator-accounts)

## Caveats

- Backup codes are single-use and printed once — reprinting invalidates the old set, so reseal and re-log custody every time (tamper-evident custody №35, split custody №36).
- A break-glass account with no alert on its use is just a second super admin.
- Exempt it from the policies you enforce elsewhere (SSO №15, Context-Aware Access №14, 'only security key' №7) — the account exists precisely for the day one of those is what broke.

## Setup steps

1. Create a dedicated super-admin account that is excluded from third-party SSO, so an IdP outage or compromise cannot lock you out of your own tenant. — `Directory › Users`

   New user in its own OU; Security > Authentication > SSO profile = None for that OU

   docs: [Setting up SSO](https://knowledge.workspace.google.com/admin/apps/setting-up-sso)

2. Set up alerting on any use of this account — see [2 Alert recipient hygiene + suspicious-login alerts](alert-recipient-hygiene.md) and [61 Audit-the-auditors alerting](audit-the-auditors.md). An unused break-glass account that logs in is either you or an incident.

   Activity rule on login events for this account (Rules, or Reporting > Audit and investigation > Create activity rule); alerts surface in the Alert Center

   docs: [Create and manage activity rules](https://knowledge.workspace.google.com/admin/security/create-and-manage-activity-rules)

3. Generate and print the single-use backup codes, then store the printout sealed offline. Reprinting invalidates the old set — reseal and re-log custody every time.

   Directory > Users > select the user > Security > 2-step verification > Get backup verification codes; sealed envelope, tamper-evident, split custody

   docs: [Recover an account protected by 2-Step Verification](https://knowledge.workspace.google.com/admin/security/recover-an-account-protected-by-2-step-verification)

## Ongoing maintenance

- **[requires a human]** Quarterly: repeat the sign-in drill and re-seal fresh backup codes; log the drill.

## How to verify

1. Sign in with the break-glass account using a stored backup code from a clean browser. Re-seal fresh codes afterwards.

2. Confirm it holds super admin and is excluded from SSO ([№15](sso-saml-idp.md)) and CAA ([№14](caa-basic.md)) enforcement.

   ```
   gam print admins | grep <breakglass-address>
   ```

## Settings screens

- Directory > Users (create the break-glass account)
  - console: https://admin.google.com/ac/users
  - screenshot: ../screenshots/admin.google.com/ac/users.png
