Google lets you to enable 2-step verification on your account. There are three possible scenarios for enabling 2-step verification, and the Google Ads API behavior varies in each case.
Case 1: A user turns on 2-step verification on their own Google account
A user may decide on their own to turn on 2-step verification for their Google account. This affects the OAuth2 interaction as follows:
New OAuth2 authentication
During the OAuth2 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. Once issued, the refresh token can be used to issue access tokens. The API calls made using this access token will work as usual.
Existing refresh token
A refresh token that was issued before the user enabled 2-step verification remains unaffected after the user enables 2-step verification. It can be used to issue access tokens as usual. The API calls made using this access token will work as usual.
Case 2: An administrator requires all users of a Google Ads account to enable 2-step verification
Account administrators can require all users of a Google Ads account to enable 2-Step Verification in order to access the Google Ads account. This affects the OAuth2 interaction as follows:
New OAuth2 authentication
If the user enabled 2-step verification, then during the OAuth2 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. If they didn't enable 2-step verification, then they won't see the 2-step verification prompt. This experience is independent of the setting that the administrator enabled for the Google Ads account.
Once issued, the refresh token can be used to issue access tokens. However, the
API calls made using this access token will fail with an
AuthorizationError.TWO_STEP_VERIFICATION_NOT_ENROLLED
error in the AdWords API and
AuthenticationError.TWO_STEP_VERIFICATION_NOT_ENROLLED
in the Google Ads API until the user enables 2-step verification in their Google
account.
Existing refresh token
A refresh token that was issued before the user enabled 2-step verification
remains unaffected after the user enables 2-step verification. It can be used to
issue access tokens as usual. However, the API calls made using this access
token will continue to fail with an
AuthorizationError.TWO_STEP_VERIFICATION_NOT_ENROLLED
error in the AdWords API and
AuthenticationError.TWO_STEP_VERIFICATION_NOT_ENROLLED
in the Google Ads API until the user enables 2-step verification in their Google
account.
Case 3: Google opts in and requires all users of a Google Ads account to enable 2-step verification
In some cases, Google may opt in and require all users of a Google Ads account to enable 2-step verification. This affects the OAuth2 interaction as follows:
New OAuth2 authentication
If the user enabled 2-step verification, then during the OAuth2 authentication flow, Google prompts the user for 2-step verification before issuing a refresh token. If they didn't enable 2-step verification, then they won't see the 2-step verification prompt. This experience is independent of whether Google opted in the Google Ads account to require all its users to enable 2-factor verification.
Once issued, the refresh token can be used to issue access tokens. The API calls
made using this access token will work as usual. No
TWO_STEP_VERIFICATION_NOT_ENROLLED error is thrown, since the 2-step
verification opt-in was initiated by Google and not by the Google Ads account
administrator.
Existing refresh token
A refresh token that was issued before the user enabled 2-step verification
remains unaffected after the user enables 2-step verification. It can be used to
issue access tokens as usual. The API calls made using this access token will
work as usual. No TWO_STEP_VERIFICATION_NOT_ENROLLED error is thrown, since
the 2-step verification opt-in was initiated by Google and not by the Google Ads
account administrator.