Two-factor authentication provides another layer of security to your Zendesk account by requiring agents and administrators to provide an expirable passcode when signing in.
Two-factor authentication can be used by agents or administrators who sign in to your Zendesk using Zendesk authentication. It's not available for agents or administrators who sign in using third-party authentication such as Google authentication services, JWT, or SAML. However, these users might still be able to use third-party two-factor authentication such as Google 2-Step Verification if you're using Google authentication.
You can require two-factor authentication for all agents and administrators, or each agent or administrator can set up two-factor authentication for their own use.
You can use two-factor-authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
Requiring two-factor authentication on the account
You can require two-factor authentication for all agents and administrators. Once this setting is enabled, admins and agents will be required to set up two-factor authentication the next time they sign in. We recommend sending them a notification with a link to the Using two-factor authentication article in the Agents guide.
By default, when you require two-factor authentication, agents and administrators only have to enter a passcode once every 30 days. They will always be asked for a passcode when they sign in from a different device for the first time.
If agents and administrators want to enter a passcode every time they sign in, they can uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts for a passcode. They always have this option available in the dialog box, you can't configure it.
To require two-factor authentication
- In Admin Center, click the Account icon (
) in the sidebar, then select Security > Advanced.
- On the Authentication tab, select Require two-factor authentication.
- Click Save.
Tracking who's using two-factor authentication
You can generate a CSV spreadsheet listing all the admins and agents in your account and whether or not they're using two-factor authentication.
- In Admin Center, click the Account icon (
) in the sidebar, then select Security > Advanced.
- On the Authentication tab, click Generate 2FA status report.
- Check your Zendesk email. You should get an email shortly with a link to download the spreadsheet.
Getting a recovery code for somebody else
If an agent or admin exhausts or loses their recovery codes and can't sign in, the account owner can generate a recovery code for them.
- Locate and open the user's profile page. In Admin Center, click the People icon (
) in the sidebar, then select Team > Team members.
- On the user's profile page, open the Security Settings tab and click the Show Recovery Code link.
- Copy the code and send it to the agent or admin. You may also want to share a link with instructions for using a recovery code.
7 Comments
Hi,
Can two-factor auth not be applied to end users & only agents/admins?
Thank you,
There are pages for endusers and one for agents/admins. But you can't setup different SSO for each type. You can only disable it for both or one of the types.
Any way to have 2fa send code to email addresses?
The account owner can generate a 2FA recovery code. They could then create a ticket for the user in Zendesk with the codes, which would send an email notification to the user. Otherwise, they could use an external email account or other method to send the codes. Is that what you're asking?
How long is the recovery code valid? I think the recovery code will expire someday.
From what I've found in our documentation there isn't any expiration date for these recovery codes.
As long as these agents exist in your account their recovery code should be valid.
Let us know if you have any other questions!
The first section notes that when using SSO, the two-factor is not available through Zendesk directly, but can be managed through the SSO provider instead.
What happens though if we have a mix of agents/admins using SSO and Zendesk Authentication? Our on-staff internal agents use SSO, but our 3rd party contractor agents use Zendesk Authentication via the /normal link.
If "Require two-factor..." is enforced for all agents/admins, does it simply ignore the SSO users, but still enforce TFA for those 3rd party agents using Zendesk Authentication?
Please sign in to leave a comment.