Using 2-factor authentication Follow

Comments

6 comments

  • Avatar
    Jeannie Finks

    Hi @Ankit

    Few questions:

    1)
    Under your section: "Using your recovery codes" when an agent has lost their recovery codes, and you mention for the user to "get another set by disabling and enabling 2-factor authentication." From what I can see, the user can only do that by logging in. But if they are locked out/can't log in, how can they do that then? What would be the recommended approach to take?

    2)
    Note in the Admin/Security area, "disabling and enabling 2-factor authentication" for the actual Zendesk subscription, I would note in a few places that if an admin does this (go from enable to disable), you're actually resetting it and will blow away any enabled user's config so then they all have to re-enable from scratch (eg you're not keeping state).

    3)
    Feature requests? Many of my agents have offered:
    a) "Having to re-enter the TFA code every 14 days is annoying, make it at least 30 days (on the same device) or configurable on the subscription like Zendesk password options."
    b)
    https://www.evernote.com/shard/s60/sh/8db28e5f-dc1a-40df-8bf9-059885ef7024/420ea813607f321ca00f2355656abd22

    Because TFA is quickly becoming commonplace, many chimed in on this:
    "If they named their app better, then I would be able to find it in my sea of TFA codes (I have over a dozen now). The Zendesk TFA code is the bottom one, but at no point does it mention the word Zendesk. This is really confusing."

    Thanks Ankit!

  • Avatar
    Ankit Garg

    Hi @Jeannie
    1) There are a few options here. If you used the "stay signed in" option on a trusted computer, you should be able to log in without being prompted for 2FA code. You can also reach out to Zendesk support for help, in the event you are totally locked out.

    2) That is right. We will update our documentation to reflect this. Would you expect this to work differently? If yes can you explain the use case some more and expected behavior for the use case?

    3) a) Thanks for the suggestion. We are thinking of separating the "stay signed in" into 2 pieces. One piece will apply to not being prompted for password for 14 days. Second piece will be not being prompted for 2FA code for 30 days.

    3) b) I assume you mean when you use an app based 2FA and you scan the barcode. We currently use the account name but I agree we could add Zendesk in there.

  • Avatar
    Jeannie Finks

    1) Thanks for clarification.

    2) I think anytime there's an enable/disable where resets are happening that would cause an impactful consequence, communicating/confirming the potential result makes it very clear. A use case for an admin is where their user is totally locked out, if one were to "disable the TFA", their user could log back in, and then the admin re-enables TFA. More of an on/off state vs. reset. The effected user now logged in would then disable their own TFA, and reset themselves since the admin cannot do it on a user-by-user basis.

    3)
    a) Sounds good!
    b) Yes on app-based 2FA/barcode scan method. My assumption is that the ZD account name might be named after the customer company and the company can have its own profiles; hence the suggestion on Zendesk-<account name> .

    Thanks for listening Ankit!

  • Avatar
    Corey Edwards

    Zendesk, while I greatly appreciate that you are among the ever-growing number of services providing 2FA as part of your product, I beseech you to consider adding the following improvements to your implementation to bring your offerings on par with the rest of those offering 2FA:

    1) Offer the ability to download and generate new recovery codes without disabling and re-enabling 2FA, and through a medium besides the 2FA confirmation email.

    2) When disabling 2FA for your own account, it would be wise to require the entry of a OTP code or a recovery code, to prevent fraudulent/accidental account changes.

  • Avatar
    Maxim Oliynyk

    By the way, you can use hardware token (card form-factor) with Zendesk:

    https://www.protectimus.com/slim-mini/

  • Avatar
    Nicole Relyea

    Hey Maxim - 

    Welcome to the Zendesk Community, and thanks for sharing. 

Please sign in to leave a comment.

Powered by Zendesk