This guide explains the common security requirements for Google Ads and Google Ads API users.
2-step verification requirements
2-step verification or 2SV, also known as Multi-factor authentication or MFA, is an important security measure. In addition to your password, 2SV requires another proof of identity, known as an authentication factor, to successfully sign in to an account. Requiring a second factor makes it significantly harder for unauthorized users to breach your account, as a compromised password alone is not enough to gain access.
Google Ads API requirements
The Google Ads API requires 2SV for all its users following the user authentication workflow to generate new OAuth 2.0 refresh tokens. Users will always be challenged with a second factor for authentication in addition to a username and password.
If the user doesn't have 2-step verification enabled, they will be prompted to add a 2-step verification method.
Existing OAuth refresh tokens are not affected by this policy. They will continue to work as usual, and users won't be prompted for reauthorization when obtaining OAuth access tokens.
Google Ads requirements
Google Ads supports manager account security mandates that let a manager account administrator enforce minimum security settings on all current and future sub-accounts that a manager account has administrative ownership over. One such policy lets the administrators of manager accounts require that users of owned sub-accounts enable 2-step verification on their accounts to login.
Existing OAuth refresh tokens are not affected by this policy, other than for calls to the Google Ads API. These tokens will continue to work as usual, and users won't be prompted for reauthorization when obtaining OAuth access tokens. However, Google Ads API calls will fail with a TWO_STEP_VERIFICATION_NOT_ENROLLED error until the user enables 2-step verification in their Google Account.