20 Break-glass admin + offline backup codesdraft
A separate admin account, used only in an emergency, whose credential and printed single-use backup codes are held offline. It is kept out of any third-party SSO profile, so an IdP outage or compromise cannot lock you out of your own tenant, and every sign-in to it is alerted on — an account that is never used has no legitimate login. It is the recovery path for every other control here that can lock you out.
Documentation: Security best practices for administrator accounts ↗
Caveats
Setup steps
- open ↗

https://admin.google.com/ac/users · captured 2026-07-15
Directory › UsersNew user in its own OU; Security > Authentication > SSO profile = None for that OU
-
Activity rule on login events for this account (Rules, or Reporting > Audit and investigation > Create activity rule); alerts surface in the Alert Center
-
Directory > Users > select the user > Security > 2-step verification > Get backup verification codes; sealed envelope, tamper-evident, split custody
Ongoing maintenance
- requires a human Quarterly: repeat the sign-in drill and re-seal fresh backup codes; log the drill.
How to verify
draftv0.1.3Recover policy #3 · #11 ↗