2-factor authentication provides another layer of security to your Zendesk account by requiring agents and administrators to provide an expirable passcode when signing in.
2-factor authentication can be used by agents or administrators who sign in to your Zendesk using Zendesk authentication. It's not available for agents or administrators who sign in using third-party authentication such as Google authentication services, JWT, or SAML. However, these users might still be able to use third-party 2-factor authentication such as Google 2-Step Verification if you're using Google authentication.
You can require 2-factor authentication for all agents and administrators, or each agent or administrator can set up 2-factor authentication for their own use.
You can use 2-factor-authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support 2-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
Requiring 2-factor authentication on the account
You can require 2-factor authentication for all agents and administrators. Once this setting is enabled, admins and agents will be required to set up two-factor authentication the next time they sign in. We recommend sending them a notification with a link to the Using 2-factor authentication article in the Agents guide.
By default, when you require 2-factor authentication, agents and administrators only have to enter a passcode once every 30 days. They will always be asked for a passcode when they sign in from a different device for the first time.
If agents and administrators want to enter a passcode every time they sign in, they can uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts for a passcode. They always have this option available in the dialog box, you can't configure it.
To require 2-factor authentication
- In any product, click the Zendesk Products icon (
) in the top bar, then select Admin Center. - Click the Security icon (
) in the left sidebar, then click Advanced. - Scroll to Authentication and select Require two-factor authentication.
- Click Save.
Tracking who's using 2-factor authentication
You can generate a CSV spreadsheet listing all the admins and agents in your account and whether or not they're using 2-factor authentication.
- In any product, click the Zendesk Products icon () in the top bar, then select Admin Center.
- Click the Security icon () in the left sidebar, then click Advanced.
- Scroll to Authentication and click Generate 2fa status report.
- Check your Zendesk email. You should get an email shortly with a link to download the spreadsheet.
Getting a recovery code for somebody else
If an agent or admin exhausts or loses their recovery codes and can't sign in, the account owner can generate a recovery code for them.
- Locate and open the user's profile page. In Zendesk Support, go to Admin > Manage > People, then select the admin or agent.
- On the user's profile page, open the Security Settings tab and click the Show Recovery Code link.
- Copy the code and send it to the agent or admin. You may also want to share a link with instructions for using a recovery code.
23 Comments
Thanks for this article
Hello,
Is it possible to require 2-factor authentication everytime by disabling the "Remember me/Dont ask the next 30 days" option?
Hello Aleksander,
By default, you only have to enter a passcode once every 30 days. Your agents can elect to use 2 factor authentication every time when using the same computer though.
To enter a passcode every time you sign in, uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts you for a passcode. This will require 2-factor authentication every time. This setting is up to the individual user to decide and there are no global controls for this.
You will always be required to use two factor authentication when using a new device though.
Hi,
Password-based authentication to the Zendesk API will be disabled when two-factor authentication is required. - Is there a work around on this? I integrated Shippit t my Zendesk account and I stopped receiving emails after enabling 2FA.
Thank you
Hi Hemlata,
You should still be able to use OAuth or an API key for this, more details can be found here:
https://developer.zendesk.com/rest_api/docs/core/introduction#security-and-authentication
With GDPR around the corner, one of the things we have to ensure is the security of data - making sure that data isn't available to someone that doesn't need it.
Unfortunately Zendesk has opened up a minefield for us.
Unless I'm mistaken there's no way for an agent to be logged out automatically after a period of inactivity - so if they forget to logout, any personal data in Zendesk is available to anyone that has access to that PC.
I thought that 2FA might address this, by insisting that users were validated on a regular basis, but it seems that the end user can just turn off 2FA on a device for 30 days - so if an agents laptop were stolen, the thief could have immediate access to any personal data stored in ZD.
Additionally I'm surprised that the mobile app doesn't have any kind of "re-authorisation" - every other app I use that has access to personal data, has the option to re-authorise (via a pin or fingerprint) every time the app gets accessed by the user.
What are others doing about this and what are ZD's recommendation ?
Hi David -
For the Zendesk response, please email your question to privacy@zendesk.com. Normally we don't like to make people switch channels for an answer, but since GDPR deals with legal compliance, our legal team has limited the scope of what we can answer about GDPR in the community and has asked that all GDPR-related questions be directed their way.
Hi David Rose
Did you get an answer to your question about the Zendesk APP?
I have the same worries that you have about the APP (and also about the 30-days)
Hi Helle!
I'm going to make the same recommendation as Nicole made to David; send an email over to privacy@zendesk.com and they'll be able to address your specific concerns directly!
I have got this information from legal:
Daniele Longo (Zendesk Legal)
Sep 12, 14:06 IST
Dear Helle,
I checked with the product team: the app, like many mobile apps, relies on the mobile user to gate access at the device level (i.e. passcode, biometrics, etc.). Our customer base are varied and not all have use cases which digest lots of sensitive info (beyond PII). The mobile app is also for Agent use only and can be restricted.
However, there is no 2-factor authentication process as of today. Our product team is however investigating whether we should implement such measure in the future.
Hope that helps.
Best Regards,
Daniele Longo
Thank you for coming back and sharing what you found out, Helle!
Hello - I can't find the link to "Download 2fa status" on the relevant page in the Admin Centre. Has this feature been removed for a reason ?
Hey Kate,
We actually have a note on this article that states 2FA Status feature is temporarily unavailable so you wouldn't see it on your end quite yet.
This article will be updated once the feature is available again :)
Thanks!
Hello Zendesk,
When will this be available again? This is somewhat a security issue. Even with the option enabled that enforces 2FA, it's not ensured because of he way zendesk integrated the session handling.
Please push this through to the dev team, this is a security issue.
Best regards,
Sebastian
Hello Sebastian,
We are still working on a solution regarding our 2FA being temporarily unavailable. Once we have this back online, this article will be updated, but in the interim, we appreciate your understanding.
Hello all...
I am wanting to enable 2FA today on my platform today, but after reading this I need to know if 2FA is even available?
Given that the last update above is 3 months old (and there is no mention here that its fixed yet as mentioned), can we get an update here is this is fixed/available now?
Thanks,
Steve
Hi Steve -
2FA is now available.
Dear All,
We enabled 2fa and some of my users added the 2fa to DUO app. for some reason they delete the account on the app and now they cant re-add the account as the QR code is not popping up again. is there a way to reset the process so they can start the account adding again?
Regards
Steve
Is there a way to turn off the possibility for agents to turn off 2FA every time when logging in? This is really a problem for us for security concerns.
I asked the same, there is no way, the session is just very long. At least the 2FA enforcement helps with computers that aren't used by agents but the agent computers itself should be encrypted to prevent access. And agent rights restricted through roles.
But yes, not very optimal right now.
We are just starting to have our agents use MFA. I don't see any options for an admin to disable MFA for a user having an issue logging in. So recovery codes being the only option I see, must be fool proof?
Also after a user has setup MFA themselves, if they do the process again and pick a different option like wanting to switch which phone app they use or switch from phone app to SMS messaging, does it automatically disable the previous method? If not that could get messy.
Thanks,
Hello Eric,
Right now as the base product stands this is not possible. I would recommend posting this is our product feedback forums so our developers can consider this for a future update.
Best regards.
The control over requiring 2FA every time agents log-in is required by our security department (banking). To keep the option at agents decisions to delay for 30 days is not sufficient. There should be a global setting to disable it.
Please sign in to leave a comment.