English (US)
  1. Zendesk help
  2. Support
  3. Using Support
  4. Agent guide for Support

Using 2-factor authentication

Charles Nadeau
  • Edited

all plans

Fastpath: Agent UI > User Avatar > View Profile Page > Security Settings

If you sign in to Zendesk using standard Zendesk authentication, you can turn on 2-factor authentication. 2-factor authentication makes it difficult for somebody else to sign in as you. After you enter your password as usual, you'll be asked to enter a 6-digit passcode. You can get the passcode from a text message (SMS) or from a 2-factor authentication app installed on your mobile device.

If you want to get your passcodes from a 2-factor authentication app, install one on your mobile device before enabling 2-factor authentication in Zendesk Support. 2-factor authentication apps include Google Authenticator, Authy, Symantec VIP, and Duo Mobile. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.

Note: You need to use the mobile version of your 2-factor authentication app, and not a desktop version.

By default, you only have to enter a passcode once every 30 days. You can choose to enter a passcode every time you sign in.

An admin can require 2-factor authentication for all agents and administrators, though the admin can't set it up for them. You'll need to set it up the next time you sign in, as described in Enabling 2-factor authentication below. Even if it's not a requirement, you can still set up 2-factor authentication for your own use.

Topics covered in this article:

Enabling 2-factor authentication

  1. In the Zendesk Support agent interface, click your user icon in the upper right and select View Profile Page.
  2. Open the Security Settings tab.
  3. In the Enable Two-factor Authentication section, click Enable.

    dropdown

    A dialog box appears with two options to get the passcodes.

    passcode_choice
  4. Depending on how you want to get your passcodes when you sign in, select Use mobile app or Use SMS, and follow the onscreen instructions. For more information, see:

Configuring a 2-factor authentication app

Make sure a 2-factor authentication app is installed on your mobile device. Examples include Google Authenticator, Authy, Symantec VIP, and Duo Mobile.

To configure your 2-factor authentication app
  1. If not already done, choose Use Mobile App in the Enable two-factor authentication dialog box in Enabling 2-factor authentication.

    The following dialog box appears:

    image

  2. Start the 2-factor authentication app on your device, select the option to add an entry, and point your device's camera at the QR code (the blocky square) on the Zendesk dialog box in your browser window.

    The mobile app might refer to this action as Scan Barcode.

    The app should automatically scan the QR code and generate a passcode. If you have trouble scanning the QR code, you can manually enter the secret key that's provided.

    Note: Scanning the barcode is a one-time-only step.
  3. In the Zendesk dialog box in your browser, click Next to go to step 2 of the configuration process, enter the 6-digit passcode generated by the app, and click Verify.

    A notification email is sent to your email address.

  4. Download your recovery codes from the notification email. If you lose your phone or can't access your device for any reason, the recovery codes are the only way to access your account again. See Using your recovery codes below.

From now on when you sign in, you can get a valid passcode by simply opening a 2-factor authentication app on your device. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.

The app doesn't need an Internet connection to display valid passcodes.

Configuring text messages (SMS)

Note: To configure text messages (SMS) for two-factor authentication, make sure you include a phone number that is eligible to receive the transactional SMS messages. Some countries, such as India, have restrictions. For more information, see SMS Guidelines.
  1. If not already done, choose Use SMS in the Enable two-factor authentication dialog box in Enabling 2-factor authentication.
  2. Enter a phone number that can receive text messages and click Next.

    A text message will be sent to the number shortly.

    Note: The phone number must be in E.164 format.
  3. Enter the 6-digit code sent to you and click Verify.
  4. Download your recovery codes from the notification email you receive after enabling 2-factor authentication. If you lose your phone or can't access your device for any reason, recovery codes are the only way to access your account again. See Using your recovery codes below.

From now on when you sign in, you can get a valid passcode from a text message sent to your phone.

Changing how often you enter a passcode

By default, you only have to enter a passcode once every 30 days. You'll always be asked for a passcode when you sign in from a different device for the first time.

To enter a passcode every time you sign in, uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts you for a passcode:

Disabling 2-factor authentication

If 2-factor authentication is not a requirement but you enabled it anyway, you can disable it as follows:

  1. In the Zendesk Support agent interface, click your user icon in the upper right and select View Profile Page.
  2. Select the Security Settings tab, then click Edit in the Two-factor Authentication section.
  3. Click the link on the lower side of the screen to turn off 2-factor authentication.

Using and getting more recovery codes

If you lose your phone or can't access your device for any reason, you can use one of your recovery codes to access your account again. You can only use each code once.

  • When prompted for a passcode at sign-in, enter one of your recovery codes.

If you use up all your codes, you can ask an admin in your Zendesk account to get a recovery code for you. Refer the admin to Getting a recovery code for someone else.

Once you're signed in, you can get another set of recovery codes from your user profile page as follows:

  1. In the Zendesk Support agent interface, click your profile icon in the upper-right and select View profile page.
  2. Open the Security Settings tab and click Download Recovery Codes.
Have more questions? Submit a request

12 Comments

Sort by Date Votes
  • Jeannie Finks
    Comment actions Permalink

    Hi @Ankit

    Few questions:

    1)
    Under your section: "Using your recovery codes" when an agent has lost their recovery codes, and you mention for the user to "get another set by disabling and enabling 2-factor authentication." From what I can see, the user can only do that by logging in. But if they are locked out/can't log in, how can they do that then? What would be the recommended approach to take?

    2)
    Note in the Admin/Security area, "disabling and enabling 2-factor authentication" for the actual Zendesk subscription, I would note in a few places that if an admin does this (go from enable to disable), you're actually resetting it and will blow away any enabled user's config so then they all have to re-enable from scratch (eg you're not keeping state).

    3)
    Feature requests? Many of my agents have offered:
    a) "Having to re-enter the TFA code every 14 days is annoying, make it at least 30 days (on the same device) or configurable on the subscription like Zendesk password options."
    b)
    https://www.evernote.com/shard/s60/sh/8db28e5f-dc1a-40df-8bf9-059885ef7024/420ea813607f321ca00f2355656abd22

    Because TFA is quickly becoming commonplace, many chimed in on this:
    "If they named their app better, then I would be able to find it in my sea of TFA codes (I have over a dozen now). The Zendesk TFA code is the bottom one, but at no point does it mention the word Zendesk. This is really confusing."

    Thanks Ankit!

    0
  • Ankit Garg
    Comment actions Permalink

    Hi @Jeannie
    1) There are a few options here. If you used the "stay signed in" option on a trusted computer, you should be able to log in without being prompted for 2FA code. You can also reach out to Zendesk support for help, in the event you are totally locked out.

    2) That is right. We will update our documentation to reflect this. Would you expect this to work differently? If yes can you explain the use case some more and expected behavior for the use case?

    3) a) Thanks for the suggestion. We are thinking of separating the "stay signed in" into 2 pieces. One piece will apply to not being prompted for password for 14 days. Second piece will be not being prompted for 2FA code for 30 days.

    3) b) I assume you mean when you use an app based 2FA and you scan the barcode. We currently use the account name but I agree we could add Zendesk in there.

    0
  • Jeannie Finks
    Comment actions Permalink

    1) Thanks for clarification.

    2) I think anytime there's an enable/disable where resets are happening that would cause an impactful consequence, communicating/confirming the potential result makes it very clear. A use case for an admin is where their user is totally locked out, if one were to "disable the TFA", their user could log back in, and then the admin re-enables TFA. More of an on/off state vs. reset. The effected user now logged in would then disable their own TFA, and reset themselves since the admin cannot do it on a user-by-user basis.

    3)
    a) Sounds good!
    b) Yes on app-based 2FA/barcode scan method. My assumption is that the ZD account name might be named after the customer company and the company can have its own profiles; hence the suggestion on Zendesk-<account name> .

    Thanks for listening Ankit!

    0
  • Corey Edwards
    Comment actions Permalink

    Zendesk, while I greatly appreciate that you are among the ever-growing number of services providing 2FA as part of your product, I beseech you to consider adding the following improvements to your implementation to bring your offerings on par with the rest of those offering 2FA:

    1) Offer the ability to download and generate new recovery codes without disabling and re-enabling 2FA, and through a medium besides the 2FA confirmation email.

    2) When disabling 2FA for your own account, it would be wise to require the entry of a OTP code or a recovery code, to prevent fraudulent/accidental account changes.

    0
  • Maxim Oliynyk
    Comment actions Permalink

    By the way, you can use hardware token (card form-factor) with Zendesk:

    https://www.protectimus.com/slim-mini/

    2
  • Nicole - Community Manager
    Comment actions Permalink

    Hey Maxim - 

    Welcome to the Zendesk Community, and thanks for sharing. 

    0
  • Gurunn
    Comment actions Permalink

    Hi, 

    I have set up 2FA on our sandbox is testing with sms code. After 30 days, do you need to reenter your phone number or does Zendesk remember it?

    0
  • Mathew Keegan
    Comment actions Permalink

    Do you support third party 2FA devices like Yubico, Gemalto, or RSA SecurID?

    0
  • Tim Kilkenny
    • Edited
    Comment actions Permalink

    Hi Gurunn,

    Zendesk will remember your phone number in the 2FA settings, even after 30 days.

    0
  • Tim Kilkenny
    Comment actions Permalink

    Hi Matthew,

    At this time, we do not currently support third party 2FA devices like the ones that you mentioned.

    0
  • Jonathan March
    Comment actions Permalink

    FWIW -- Lastpass Authenticator is compatible with Google Authenticator, and unlike the latter migrates painlessly to a new phone (via your encrypted Lastpass cloud storage). I switched authenticators about a year ago and have no regrets.

    0
  • John Jairo Escobar
    Comment actions Permalink

    ¿Cómo puedo mantener el servicio de doble autenticación en Zendesk sin afectar la integración con Zendesk?

    0

Please sign in to leave a comment.

Related articles

Related articles

Powered by Zendesk