What's my plan?
All Suites Team, Growth, Professional, Enterprise, or Enterprise Plus
Support Team, Professional, or Enterprise

Verified AI summary ◀▼

Enhance account security with two-factor authentication by requiring a passcode at sign-in. You can mandate it for team members, end users, or both. Track admin and agent usage via a CSV report. If someone loses recovery codes, admins can generate new ones. Disable two-factor authentication anytime, but users who enabled it personally must turn it off themselves.

Location: Admin Center > Account > Security > Advanced

Two-step verification provides another layer of security to your Zendesk account by requiring team members or end users to provide an expirable passcode when signing in. You can require two-factor authentication, or each user can set up two-factor authentication for their own use.

Two-factor authentication applies to users who sign in to your Zendesk using Zendesk authentication (email and password). It's not available for users who sign in using third-party authentication, such as Google authentication services, JWT, or SAML. However, these users might still be able to use third-party two-factor authentication, such as Google 2-Step Verification, if you're using Google authentication.

Zendesk recommends turning on two-factor authentication to help protect against potential situations that could result in as admin or agent account being compromised, such as a leaked password. If you require two-factor authentication, it's a good idea to periodically generate a 2FA status report to track who's using two-factor authentication to access their Zendesk account.

This article covers the following topics:
  • Important considerations before turning on two-factor authentication
  • Requiring two-factor authentication on the account
  • Tracking who's using two-factor authentication
  • Turning off two-factor authentication
Related articles:
  • Getting recovery codes for team members locked out of their accounts
  • Understanding options for end-user access and sign-in

Important considerations before turning on two-factor authentication

Before turning on two-factor authentication, make sure you understand the following important considerations:
  • You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when SSO or two-factor authentication is enabled in the developer documentation.
  • Requiring two-factor authentication turns off password-based authentication to the Zendesk API. Zendesk recommends moving to another authentication method for API calls as soon as possible because password access will be removed in December 2025.
  • Requiring two-factor authentication does not impact API calls that are using an API token.

Requiring two-factor authentication on the account

You can require two-factor authentication for all team members, all end users, or both user types. Once this setting is turned on, users will be required to set up two-factor authentication the next time they sign in.

You can optionally notify users of the change and include a link to an article for more information about two-factor authentication:
  • For admins and agents: Using two-factor authentication to sign in to Zendesk Support
  • For end users: Accessing help center with two-factor authentication

By default, when you require two-factor authentication, users have to enter a passcode once every 30 days. If users want to enter a passcode every time they sign in, they can change the setting for themselves. Users are always asked for a passcode when they sign in from a different device for the first time.

To require two-factor authentication

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. Click the Authentication tab.
  3. Select the options that apply:
    • Require two-factor authentication (2FA) for team members
    • Require two-factor authentication (2FA) for end users
  4. Click Save.

Tracking who's using two-factor authentication

You can generate a 2FA status report, in the form of a CSV spreadsheet, listing all the admins and agents in your account and whether or not they're using two-factor authentication. It's a good idea to do this periodically if you require two-factor authentication. This option is not available to track end users.

To generate a 2FA status report

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. Click the Authentication tab.
  3. Click Generate 2FA status report.
  4. Check your Zendesk email. You should get an email shortly with a link to download the spreadsheet.

Turning off two-factor authentication

You can turn off two-factor authentication if you no longer want to require it on your account. After you turn it off, users will no longer be required to enter a passcode when signing in, unless they have turned on two-factor authentication for themselves in their profile.

If you turned off two-factor authentication but users are still being prompted for a passcode, users can use the following resources to turn it off:
  • For agents: Turning off two-factor authentication
  • For end users: Turning off two-factor authentication

To turn off two-factor authentication

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. Click the Authentication tab.
  3. Deselect the options that apply:
    • Require two-factor authentication (2FA) for team members
    • Require two-factor authentication (2FA) for end users
  4. Click Save.
Powered by Zendesk