Recent searches


No recent searches

Managing two-factor authentication for agents and admins



image avatar

Charles Nadeau

Zendesk Documentation Team

Edited Oct 21, 2024


10

14

14 comments

Hi,

Can two-factor auth not be applied to end users & only agents/admins?

Thank you,

1


There are pages for endusers and one for agents/admins. But you can't setup different SSO for each type. You can only disable it for both or one of the types.

3


Any way to have 2fa send code to email addresses?

1


Hi Agyeman,
 
The account owner can generate a 2FA recovery code. They could then create a ticket for the user in Zendesk with the codes, which would send an email notification to the user. Otherwise, they could use an external email account or other method to send the codes. Is that what you're asking?

1


image avatar

Brett Bowser

Zendesk Community Manager

Hey 지훈 이,
 
From what I've found in our documentation there isn't any expiration date for these recovery codes. 
 
As long as these agents exist in your account their recovery code should be valid.
 
Let us know if you have any other questions!

1


The first section notes that when using SSO, the two-factor is not available through Zendesk directly, but can be managed through the SSO provider instead.

What happens though if we have a mix of agents/admins using SSO and Zendesk Authentication? Our on-staff internal agents use SSO, but our 3rd party contractor agents use Zendesk Authentication via the /normal link.

If "Require two-factor..." is enforced for all agents/admins, does it simply ignore the SSO users, but still enforce TFA for those 3rd party agents using Zendesk Authentication?

1


image avatar

Dane

Zendesk Engineering

Hi Bobby,
 
I have tested the behavior in Okta and 2FA will work for Zendesk authentication on the page that is not setup as a default relay state.
 
For example, I have setup my SSO to login while on subdomain.zendesk.com/agent. If my agent go to subdomain.zendesk.com/hc they have the option to use other sign in method that is available for the account. 2FA can still be used if Zendesk authentication is enabled.
 
Hope this helps!

2


Can 2FA login be required on every login? I know there is a way for users to change a checkbox that will then require 2FA on every login but I need to make it mandatory for everyone.

3


image avatar

Christine

Zendesk Engineering

Hi Matt,

It is not possible to configure 2FA to be required every login. The "Don't ask again on this computer for 30 days" option is up to the individual user to decide and there are no global controls for this.
 
Although you cannot remotely reset user sessions, you can do that with the usage of Sessions API. The Sessions API lets you view who is currently signed in. It also lets you terminate one or more sessions. Terminating a session sign out the user.

2


Hi Christine, Zendesk,

This is a significant security flaw in Zendesk implementation of 2FA.  2FA ought to be bundled with ability for administrator to mandate use of 2FA with every login event.  Leaving this up to the user breaks our security rules (and we are just a tiny company).

This leaves us exposed to hacking.

What we dont understand is the Sessions can clearly be set to expire.... and yet this does not sign out the user?  Or properly kill the session.  The implementation is flawed, unfortunately.

Will Zendesk take this seriously and implement an Admin enforcement?  This should never be a user decision.

5


I agree with Troy that the choice whether the 2FA needs to be made for every login or after those 30 days should be up to the admins.

3


I agree with Troy. Admins should be able to mandate the use of 2FA and turn off the don't ask again for 30 days. That goes against our corporate security policy as well. 

3


Hello Zendesk Team,

Please when I want to sign-in and I am asked for my two-factor authentication code I actually do receive the code to enable me log in. This has persisted for weeks. Kindly support

1


image avatar

Audrey Ann Cipriano

Zendesk Customer Care

Hi George Awuah welcome to our Community! 

To confirm, are you NOT receiving the code and you are unable to log in? If so, can you try to follow the instructions below to see if it'll work? 

1. Search your email inbox for any recovery codes that were sent to you previously and use them to log in.

2. If you are not able to locate any recovery codes, reach out to the owner of your account as they are able to generate additional codes for you.


If this won't work, kindly contact us via Messaging for assistance, be advised that an owner on the account will need to give permission for us to take further action.

More info here: I use 2-factor authentication and am locked out of my account. 

 

Hope this helps!

3


Please sign in to leave a comment.