If you sign in to Zendesk Support using standard Zendesk Support authentication, you can turn on 2-factor authentication. 2-factor authentication makes it difficult for somebody else to sign in as you. After you enter your password as usual, you'll be asked to enter a 6-digit passcode sent or generated just for you.
You can choose how to get the passcodes. They can be sent to you in text messages or they can be generated by a two-factor authentication app installed on your mobile device. The mobile app doesn't need an Internet connection to generate a passcode.
If you want to generate passcodes with an app, install one on your mobile device before activating 2-factor authentication in Zendesk Support. Options include Authy and Google Authenticator.
An admin can require 2-factor authentication for all agents and administrators. If it isn't a requirement, you can still set up 2-factor authentication for your own use.
Topics covered in this article:
Enabling 2-factor authentication
If 2-factor authentication is required for the account, you'll need to set up two-factor authentication the next time you sign in. Skip to step 4 below. Even if it's not required, you can still set up 2-factor authentication for your own use.
- In the Zendesk Support agent interface, click your user icon in the upper right and select View Profile Page.
- Open the Security Settings tab.
- In the Enable Two-factor Authentication section, click Enable.
A dialog box appears with a choice of how to get the passcodes.
- If you want the generate passcodes with a mobile app, choose Use Mobile App and
do the following:
- Start the app on your device, select the option to add an entry, and point your
device's camera at the QR code (the blocky square).
Your app might refer to this action as Scan Barcode.
The app should automatically scan the QR code and generate a passcode. If you have trouble scanning the QR code, you can manually enter the secret key that's provided.
- Click Next, enter the 6-digit passcode generated by the app, and click Verify.
Note: Scanning the barcode is a one-time-only step. From now on, you can get a new passcode by simply opening the app. - Start the app on your device, select the option to add an entry, and point your
device's camera at the QR code (the blocky square).
- If you want to receive passcodes in text messages, select choose Use SMS and do
the following:
- Enter a phone number that can receive text messages and click Next.
A text message will be sent to the number shortly.
- Enter the 6-digit code sent to you and click Verify.
- Enter a phone number that can receive text messages and click Next.
- Download your recovery codes from the notification email you receive after enabling 2-factor authentication. If you lose your phone or can't access your device for any reason, recovery codes are the only way to access your account again. See Using your recovery codes below.
Changing how often you enter a passcode
By default, you only have to enter a passcode once every 30 days. You'll always be asked for a passcode when you sign in from a different device for the first time.
To enter a passcode every time you sign in, uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts you for a passcode:
Disabling 2-factor authentication
If 2-factor authentication is not a requirement but you enabled it anyway, you can disable it as follows:
- In the Zendesk Support agent interface, click your user icon in the upper right and select View Profile Page.
- Select the Security Settings tab, then click Edit in the Two-factor Authentication section.
- Click the link on the lower side of the screen to turn off 2-factor authentication.
Using and getting more recovery codes
If you lose your phone or can't access your device for any reason, you can use one of your recovery codes to access your account again. You can only use each code once.
- When prompted for a passcode at sign-in, enter one of your recovery codes.
If you use up all your codes, you can ask an admin in your Zendesk Support account to get a recovery code for you. Refer the admin to Getting a recovery code for somebody else.
Once you're signed in, you can get another set of recovery codes from your user profile page as follows:
- In the Zendesk Support agent interface, click your profile icon in the upper-right and select View profile page.
- Open the Security Settings tab and click Download Recovery Codes.
Comments
4 comments
Hi @Ankit
Few questions:
1)
Under your section: "Using your recovery codes" when an agent has lost their recovery codes, and you mention for the user to "get another set by disabling and enabling 2-factor authentication." From what I can see, the user can only do that by logging in. But if they are locked out/can't log in, how can they do that then? What would be the recommended approach to take?
2)
Note in the Admin/Security area, "disabling and enabling 2-factor authentication" for the actual Zendesk subscription, I would note in a few places that if an admin does this (go from enable to disable), you're actually resetting it and will blow away any enabled user's config so then they all have to re-enable from scratch (eg you're not keeping state).
3)
Feature requests? Many of my agents have offered:
a) "Having to re-enter the TFA code every 14 days is annoying, make it at least 30 days (on the same device) or configurable on the subscription like Zendesk password options."
b)
https://www.evernote.com/shard/s60/sh/8db28e5f-dc1a-40df-8bf9-059885ef7024/420ea813607f321ca00f2355656abd22
Because TFA is quickly becoming commonplace, many chimed in on this:
"If they named their app better, then I would be able to find it in my sea of TFA codes (I have over a dozen now). The Zendesk TFA code is the bottom one, but at no point does it mention the word Zendesk. This is really confusing."
Thanks Ankit!
Hi @Jeannie
1) There are a few options here. If you used the "stay signed in" option on a trusted computer, you should be able to log in without being prompted for 2FA code. You can also reach out to Zendesk support for help, in the event you are totally locked out.
2) That is right. We will update our documentation to reflect this. Would you expect this to work differently? If yes can you explain the use case some more and expected behavior for the use case?
3) a) Thanks for the suggestion. We are thinking of separating the "stay signed in" into 2 pieces. One piece will apply to not being prompted for password for 14 days. Second piece will be not being prompted for 2FA code for 30 days.
3) b) I assume you mean when you use an app based 2FA and you scan the barcode. We currently use the account name but I agree we could add Zendesk in there.
1) Thanks for clarification.
2) I think anytime there's an enable/disable where resets are happening that would cause an impactful consequence, communicating/confirming the potential result makes it very clear. A use case for an admin is where their user is totally locked out, if one were to "disable the TFA", their user could log back in, and then the admin re-enables TFA. More of an on/off state vs. reset. The effected user now logged in would then disable their own TFA, and reset themselves since the admin cannot do it on a user-by-user basis.
3)
a) Sounds good!
b) Yes on app-based 2FA/barcode scan method. My assumption is that the ZD account name might be named after the customer company and the company can have its own profiles; hence the suggestion on Zendesk-<account name> .
Thanks for listening Ankit!
Zendesk, while I greatly appreciate that you are among the ever-growing number of services providing 2FA as part of your product, I beseech you to consider adding the following improvements to your implementation to bring your offerings on par with the rest of those offering 2FA:
1) Offer the ability to download and generate new recovery codes without disabling and re-enabling 2FA, and through a medium besides the 2FA confirmation email.
2) When disabling 2FA for your own account, it would be wise to require the entry of a OTP code or a recovery code, to prevent fraudulent/accidental account changes.
Please sign in to leave a comment.