What's my plan?
All Suites Team, Growth, Professional, Enterprise, or Enterprise Plus
Support Team, Professional, or Enterprise

Verified AI summary ◀▼

Enhance account security with two-factor authentication by requiring a passcode at sign-in. You can mandate it for team members, end users, or both. Track admin and agent usage via a CSV report. If someone loses recovery codes, admins can generate new ones. Disable two-factor authentication anytime, but users who enabled it personally must turn it off themselves.

Location: Admin Center > Account > Security > Advanced

Two-factor authentication provides another layer of security to your Zendesk account by requiring team members or end users to provide an expirable passcode when signing in.

Two-factor authentication applies to users who sign in to your Zendesk using Zendesk authentication (email and password). It's not available for users who sign in using third-party authentication such as Google authentication services, JWT, or SAML. However, these users might still be able to use third-party two-factor authentication such as Google 2-Step Verification if you're using Google authentication.

You can require two-factor authentication, or each user can set up two-factor authentication for their own use.

This article covers the following topics:
  • Important considerations before turning on two-factor authentication
  • Requiring two-factor authentication on the account
  • Tracking who's using two-factor authentication
  • Getting a recovery code for somebody else
  • Turning off two-factor authentication
Related articles:
  • Getting recovery codes for team members locked out of their accounts
  • About two-step verification
  • Understanding options for end-user access and sign-in

Important considerations before turning on two-factor authentication

Before turning on two-factor authentication, make sure you understand the following important considerations:
  • You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when SSO or two-factor authentication is enabled in the developer documentation.
  • Requiring two-factor authentication turns off password-based authentication to the Zendesk API. Zendesk recommends moving to another authentication method for API calls as soon as possible because password access will be removed in December 2025.
  • Requiring two-factor authentication does not impact API calls that are using an API token.

Requiring two-factor authentication on the account

You can require two-factor authentication for all team members, all end users, or both user types. Once this setting is turned on, users will be required to set up two-factor authentication the next time they sign in.

You can optionally notify users of the change and include a link to an article for more information about two-factor authentication:
  • For admins and agents: Using two-factor authentication to sign in to Zendesk Support
  • For end users: Accessing help center with two-factor authentication

By default, when you require two-factor authentication, users only have to enter a passcode once every 30 days. They will always be asked for a passcode when they sign in from a different device for the first time. If users want to enter a passcode every time they sign in, they can uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts for a passcode. They always have this option available in the dialog box; you can't configure it.

To require two-factor authentication

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. Click the Authentication tab.
  3. Select the options that apply:
    • Require two-factor authentication (2FA) for team members
    • Require two-factor authentication (2FA) for end users
  4. Click Save.

Tracking who's using two-factor authentication

You can generate a CSV spreadsheet listing all the admins and agents in your account and whether or not they're using two-factor authentication. This option is not available to track end users.

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. Click the Authentication tab.
  3. Click Generate 2FA status report.
  4. Check your Zendesk email. You should get an email shortly with a link to download the spreadsheet.

Getting a recovery code for somebody else

If an agent or admin exhausts or loses their recovery codes and can't sign in, a Zendesk admin or the account owner can generate a recovery code for them. See Getting recovery codes for team members locked out of their accounts.

Recovery codes can't be provided to end users. If an end user exhauses or loses their recovery codes and can't sign in, they must create a new account to regain access.

Turning off two-factor authentication

You can turn off two-factor authentication if you no longer want to require it on your account. After you turn it off, users will no longer be required to enter a passcode when signing in, unless they have turned on two-factor authentication for themselves in their profile.

If you turned off two-factor authentication but users are still being prompted for a passcode, users can use the following resources to turn it off:
  • For agents: Turning off two-factor authentication
  • For end users: Turning off two-factor authentication

To turn off two-factor authentication

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. Click the Authentication tab.
  3. Deselect the options that apply:
    • Require two-factor authentication (2FA) for team members
    • Require two-factor authentication (2FA) for end users
  4. Click Save.
Powered by Zendesk