Two-factor authentication provides another layer of security to your Zendesk account by requiring team members or end users to provide an expirable passcode when signing in.
Two-factor authentication applies to users who sign in to your Zendesk using Zendesk authentication (email and password). It's not available for users who sign in using third-party authentication such as Google authentication services, JWT, or SAML. However, these users might still be able to use third-party two-factor authentication such as Google 2-Step Verification if you're using Google authentication.
You can require two-factor authentication, or each user can set up two-factor authentication for their own use.
Important considerations before turning on two-factor authentication
- You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
- Requiring two-factor authentication turns off password-based authentication to the Zendesk API. Zendesk recommends moving to another authentication method for API calls as soon as possible because password access will be removed in December 2025.
Requiring two-factor authentication on the account
You can require two-factor authentication for all team members, all end users, or both user types. Once this setting is turned on, users will be required to set up two-factor authentication the next time they sign in.
- For admins and agents: Using two-factor authentication to sign in to Zendesk Support
- For end users: Accessing help center with two-factor authentication
By default, when you require two-factor authentication, users only have to enter a passcode once every 30 days. They will always be asked for a passcode when they sign in from a different device for the first time. If users want to enter a passcode every time they sign in, they can uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts for a passcode. They always have this option available in the dialog box; you can't configure it.
To require two-factor authentication
- In Admin Center, click
Account in the sidebar, then select Security > Advanced. - Click the Authentication tab.
- Select the options that apply:
- Require two-factor authentication (2FA) for team members
- Require two-factor authentication (2FA) for end users
- Click Save.
Tracking who's using two-factor authentication
You can generate a CSV spreadsheet listing all the admins and agents in your account and whether or not they're using two-factor authentication. This option is not available to track end users.
- In Admin Center, click Account in the sidebar, then select Security > Advanced.
- Click the Authentication tab.
- Click Generate 2FA status report.
- Check your Zendesk email. You should get an email shortly with a link to download the spreadsheet.
Getting a recovery code for somebody else
If an agent or admin exhausts or loses their recovery codes and can't sign in, a Zendesk admin or the account owner can generate a recovery code for them. See Getting recovery codes for team members locked out of their accounts.
Recovery codes can't be provided to end users. If an end user exhausts or loses their recovery codes and can't sign in, they must create a new account to regain access.
21 comments
Kevin Adkins
With this new enhancement -
Announcing the ability to require two-factor authentication for end users
Are we going to get a 2FA status report option for end-users?
admin-→account-→ security-→ advanced-→ authentication
0
Lilibic Barco
I cannot join slack. It says “To join this workspace, you’ll need to ask the person who originally invited you for a new link.”
0
changim shin
복잡해요
0
Audrey Ann Cipriano
Hi 6663891008026 welcome to our Community!
To confirm, are you NOT receiving the code and you are unable to log in? If so, can you try to follow the instructions below to see if it'll work?
1. Search your email inbox for any recovery codes that were sent to you previously and use them to log in.
2. If you are not able to locate any recovery codes, reach out to the owner of your account as they are able to generate additional codes for you.
If this won't work, kindly contact us via Messaging for assistance, be advised that an owner on the account will need to give permission for us to take further action.
More info here: I use 2-factor authentication and am locked out of my account.
Hope this helps!
3
George Awuah
Hello Zendesk Team,
Please when I want to sign-in and I am asked for my two-factor authentication code I actually do receive the code to enable me log in. This has persisted for weeks. Kindly support
1
Regina Giuliani
I agree with Troy. Admins should be able to mandate the use of 2FA and turn off the don't ask again for 30 days. That goes against our corporate security policy as well.
4
Eckhard Doll
I agree with Troy that the choice whether the 2FA needs to be made for every login or after those 30 days should be up to the admins.
4
Troy Johnston
Hi Christine, Zendesk,
This is a significant security flaw in Zendesk implementation of 2FA. 2FA ought to be bundled with ability for administrator to mandate use of 2FA with every login event. Leaving this up to the user breaks our security rules (and we are just a tiny company).
This leaves us exposed to hacking.
What we dont understand is the Sessions can clearly be set to expire.... and yet this does not sign out the user? Or properly kill the session. The implementation is flawed, unfortunately.
Will Zendesk take this seriously and implement an Admin enforcement? This should never be a user decision.
7
Christine
It is not possible to configure 2FA to be required every login. The "Don't ask again on this computer for 30 days" option is up to the individual user to decide and there are no global controls for this.
Although you cannot remotely reset user sessions, you can do that with the usage of Sessions API. The Sessions API lets you view who is currently signed in. It also lets you terminate one or more sessions. Terminating a session sign out the user.
3
Matt Newnham
Can 2FA login be required on every login? I know there is a way for users to change a checkbox that will then require 2FA on every login but I need to make it mandatory for everyone.
5
Sign in to leave a comment.