← All controls

20 Break-glass admin + offline backup codesdraft

A separate admin account, used only in an emergency, whose credential and printed single-use backup codes are held offline. It is kept out of any third-party SSO profile, so an IdP outage or compromise cannot lock you out of your own tenant, and every sign-in to it is alerted on — an account that is never used has no legitimate login. It is the recovery path for every other control here that can lock you out.

Caveats

Setup steps

  1. open ↗
    Admin console screen — Directory > Users (create the break-glass account)

    https://admin.google.com/ac/users · captured 2026-07-15

    Directory › Users

    New user in its own OU; Security > Authentication > SSO profile = None for that OU

    Setting up SSO ↗

  2. Activity rule on login events for this account (Rules, or Reporting > Audit and investigation > Create activity rule); alerts surface in the Alert Center

    Create and manage activity rules ↗

  3. Directory > Users > select the user > Security > 2-step verification > Get backup verification codes; sealed envelope, tamper-evident, split custody

    Recover an account protected by 2-Step Verification ↗

Ongoing maintenance

How to verify

  1. Sign in with the break-glass account using a stored backup code from a clean browser. Re-seal fresh codes afterwards.

  2. Confirm it holds super admin and is excluded from SSO (№15) and CAA (№14) enforcement.

    gam print admins | grep <breakglass-address>

draftv0.1.3Recover policy #3 · #11 ↗