If you sign in to Zendesk using standard Zendesk authentication, you can turn on 2-factor authentication. 2-factor authentication makes it difficult for somebody else to sign in as you. After you enter your password as usual, you'll be asked to enter a 6-digit passcode. You can get the passcode from a text message (SMS) or from a 2-factor authentication app installed on your mobile device.
If you want to get your passcodes from a 2-factor authentication app, install one on your mobile device before enabling 2-factor authentication in Zendesk Support. 2-factor authentication apps include Google Authenticator, Authy, Symantec VIP, and Duo Mobile. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.
By default, you only have to enter a passcode once every 30 days. You can choose to enter a passcode every time you sign in.
An admin can require 2-factor authentication for all agents and administrators, though the admin can't set it up for them. You'll need to set it up the next time you sign in, as described in Enabling 2-factor authentication below. Even if it's not a requirement, you can still set up 2-factor authentication for your own use.
Topics covered in this article:
Enabling 2-factor authentication
- In the Zendesk Support agent interface, click your user icon in the upper right and select View Profile Page.
- Open the Security Settings tab.
- In the Enable Two-factor Authentication section, click Enable.
A dialog box appears with two options to get the passcodes.
- Depending on how you want to get your passcodes when you sign in, select Use mobile app or Use SMS, and follow the onscreen instructions. For more information, see:
Configuring a 2-factor authentication app
Make sure a 2-factor authentication app is installed on your mobile device. Examples include Google Authenticator, Authy, Symantec VIP, and Duo Mobile.
- If not already done, choose Use Mobile App in the Enable two-factor authentication dialog box in Enabling 2-factor authentication.
The following dialog box appears:
- Start the 2-factor authentication app on your device, select the option to add an entry, and point your device's camera at the QR code (the blocky square) on the Zendesk dialog box in your browser window.
The mobile app might refer to this action as Scan Barcode.
The app should automatically scan the QR code and generate a passcode. If you have trouble scanning the QR code, you can manually enter the secret key that's provided.
Note: Scanning the barcode is a one-time-only step. - In the Zendesk dialog box in your browser, click Next to go to step 2 of the configuration process, enter the 6-digit passcode generated by the app, and click Verify.
A notification email is sent to your email address.
- Download your recovery codes from the notification email. If you lose your phone or can't access your device for any reason, the recovery codes are the only way to access your account again. See Using your recovery codes below.
From now on when you sign in, you can get a valid passcode by simply opening a 2-factor authentication app on your device. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.
The app doesn't need an Internet connection to display valid passcodes.
Configuring text messages (SMS)
- If not already done, choose Use SMS in the Enable two-factor authentication dialog box in Enabling 2-factor authentication.
- Enter a phone number that can receive text messages and click Next.
A text message will be sent to the number shortly.
Note: The phone number must be in E.164 format. - Enter the 6-digit code sent to you and click Verify.
- Download your recovery codes from the notification email you receive after enabling 2-factor authentication. If you lose your phone or can't access your device for any reason, recovery codes are the only way to access your account again. See Using your recovery codes below.
From now on when you sign in, you can get a valid passcode from a text message sent to your phone.
Changing how often you enter a passcode
By default, you only have to enter a passcode once every 30 days. You'll always be asked for a passcode when you sign in from a different device for the first time.
To enter a passcode every time you sign in, uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts you for a passcode:
Disabling 2-factor authentication
If 2-factor authentication is not a requirement but you enabled it anyway, you can disable it as follows:
- In the Zendesk Support agent interface, click your user icon in the upper right and select View Profile Page.
- Select the Security Settings tab, then click Edit in the Two-factor Authentication section.
- Click the link on the lower side of the screen to turn off 2-factor authentication.
Using and getting more recovery codes
If you lose your phone or can't access your device for any reason, you can use one of your recovery codes to access your account again. You can only use each code once.
- When prompted for a passcode at sign-in, enter one of your recovery codes.
If you use up all your codes, you can ask an admin in your Zendesk account to get a recovery code for you. Refer the admin to Getting a recovery code for someone else.
Once you're signed in, you can get another set of recovery codes from your user profile page as follows:
- In the Zendesk Support agent interface, click your profile icon in the upper-right and select View profile page.
- Open the Security Settings tab and click Download Recovery Codes.
11 Comments
Hi @Ankit
Few questions:
1)
Under your section: "Using your recovery codes" when an agent has lost their recovery codes, and you mention for the user to "get another set by disabling and enabling 2-factor authentication." From what I can see, the user can only do that by logging in. But if they are locked out/can't log in, how can they do that then? What would be the recommended approach to take?
2)
Note in the Admin/Security area, "disabling and enabling 2-factor authentication" for the actual Zendesk subscription, I would note in a few places that if an admin does this (go from enable to disable), you're actually resetting it and will blow away any enabled user's config so then they all have to re-enable from scratch (eg you're not keeping state).
3)
Feature requests? Many of my agents have offered:
a) "Having to re-enter the TFA code every 14 days is annoying, make it at least 30 days (on the same device) or configurable on the subscription like Zendesk password options."
b)
https://www.evernote.com/shard/s60/sh/8db28e5f-dc1a-40df-8bf9-059885ef7024/420ea813607f321ca00f2355656abd22
Because TFA is quickly becoming commonplace, many chimed in on this:
"If they named their app better, then I would be able to find it in my sea of TFA codes (I have over a dozen now). The Zendesk TFA code is the bottom one, but at no point does it mention the word Zendesk. This is really confusing."
Thanks Ankit!
Hi @Jeannie
1) There are a few options here. If you used the "stay signed in" option on a trusted computer, you should be able to log in without being prompted for 2FA code. You can also reach out to Zendesk support for help, in the event you are totally locked out.
2) That is right. We will update our documentation to reflect this. Would you expect this to work differently? If yes can you explain the use case some more and expected behavior for the use case?
3) a) Thanks for the suggestion. We are thinking of separating the "stay signed in" into 2 pieces. One piece will apply to not being prompted for password for 14 days. Second piece will be not being prompted for 2FA code for 30 days.
3) b) I assume you mean when you use an app based 2FA and you scan the barcode. We currently use the account name but I agree we could add Zendesk in there.
1) Thanks for clarification.
2) I think anytime there's an enable/disable where resets are happening that would cause an impactful consequence, communicating/confirming the potential result makes it very clear. A use case for an admin is where their user is totally locked out, if one were to "disable the TFA", their user could log back in, and then the admin re-enables TFA. More of an on/off state vs. reset. The effected user now logged in would then disable their own TFA, and reset themselves since the admin cannot do it on a user-by-user basis.
3)
a) Sounds good!
b) Yes on app-based 2FA/barcode scan method. My assumption is that the ZD account name might be named after the customer company and the company can have its own profiles; hence the suggestion on Zendesk-<account name> .
Thanks for listening Ankit!
Zendesk, while I greatly appreciate that you are among the ever-growing number of services providing 2FA as part of your product, I beseech you to consider adding the following improvements to your implementation to bring your offerings on par with the rest of those offering 2FA:
1) Offer the ability to download and generate new recovery codes without disabling and re-enabling 2FA, and through a medium besides the 2FA confirmation email.
2) When disabling 2FA for your own account, it would be wise to require the entry of a OTP code or a recovery code, to prevent fraudulent/accidental account changes.
By the way, you can use hardware token (card form-factor) with Zendesk:
https://www.protectimus.com/slim-mini/
Hey Maxim -
Welcome to the Zendesk Community, and thanks for sharing.
Hi,
I have set up 2FA on our sandbox is testing with sms code. After 30 days, do you need to reenter your phone number or does Zendesk remember it?
Do you support third party 2FA devices like Yubico, Gemalto, or RSA SecurID?
Hi Gurunn,
Zendesk will remember your phone number in the 2FA settings, even after 30 days.
Hi Matthew,
At this time, we do not currently support third party 2FA devices like the ones that you mentioned.
FWIW -- Lastpass Authenticator is compatible with Google Authenticator, and unlike the latter migrates painlessly to a new phone (via your encrypted Lastpass cloud storage). I switched authenticators about a year ago and have no regrets.
Please sign in to leave a comment.