Two-factor authentication makes it difficult for somebody else to sign in as you. After you enter your password as usual, you'll be asked to enter a 6-digit passcode. You can get the passcode from a text message (SMS) or a two-factor authentication app installed on your mobile device.
An admin can require two-factor authentication for all agents and administrators, but the admin can't set it up for them. If it's required, you'll be prompted to set it up when you sign in. Even if it's not a requirement, you can still set up two-factor authentication for your own use.
Admins can refer to Managing two-factor authentication to learn about important considerations before turning on two-factor authentication.
This article covers the following topics:
Using a recovery code to regain access to your account
If you lose your phone or can't access your device, you can use one of your recovery codes to reaccess your account. Recovery codes are displayed once upon initial setup of two-factor authentication. When prompted for a passcode at sign-in, enter one of your recovery codes.
You can only use each code once. If you use up all your codes or can't find them, ask your Zendesk admin or account owner to get a recovery code for you.
Turning on two-factor authentication
If two-factor authentication isn't required, you can turn it on for your own use.
To turn on two-factor authentication
- In the Zendesk Support agent interface, click your user icon in the upper right and select View profile.
- Click the Security Settings tab.
- In the Two-factor Authentication section, click Manage.
- Click Set up 2FA.
- Click Next.
- Continue to the sections below, depending on how you'd like to receive passcodes:
Configuring an authenticator app or text messages to receive passcodes
You have the option to receive passcodes using a two-factor authentication app or through a text message.
Configuring an authenticator app
To use an authenticator app to receive passcodes, you must install a two-factor authentication app on your mobile device. Two-factor authentication apps include Google Authenticator, Authy, Symantec VIP, and Duo Mobile. The app displays a valid passcode on the opening screen. You typically get 30 seconds to use it before it expires, then the app displays a new passcode.
- Select Authenticator app in the Set up
two-factor authentication (2FA) dialog, then click
Next.
This dialog appears after turning on 2FA, or upon sign-in when 2FA is required.
You are directed to the Connect your 2FA method step.
- Start the two-factor authentication app on your
device, select the option to add an entry, and
point your device's camera at the QR code (the
blocky square) on the Zendesk dialog in your
browser window.
The mobile app might refer to this action as Scan Barcode.
The app should automatically scan the QR code and generate a passcode. If you have trouble scanning the QR code, you can manually enter the secret key that's provided. Scanning the barcode is a one-time-only step.
- Enter the 6-digit passcode generated by the app, then click Save.
- Click Copy recovery codes and save them in a safe location. If you lose your phone or can't get a passcode, you must use a recovery code to sign in.
From now on, when you sign in, you can get a valid passcode by simply opening a two-factor authentication app on your device. The app displays a valid passcode on the opening screen. The app doesn't need an internet connection to display valid passcodes.
Configuring text messages (SMS)
To configure text messages for two-factor authentication, make sure you include a phone number that is eligible to receive the transactional SMS messages. Some countries, such as India, have restrictions. For more information, see SMS Guidelines.
To configure text messages
- Select SMS in the Set up two-factor
authentication (2FA) dialog, then click
Next.
This dialog appears after turning on 2FA, or upon sign-in when 2FA is required.
- Enter a phone number that can receive text messages,
then click Send passcode.
A text message will be sent to the number shortly.
Note: The phone number must be in E.164 format. - Enter the 6-digit code sent to you, then click
Save.
SMS passcodes for 2FA are valid for 60 seconds.
- Click Copy recovery codes and save them in a safe location. If you lose your phone or can't get a passcode, you must use a recovery code to sign in.
From now on, when you sign in, you can get a valid passcode from a text message sent to your phone.
Changing how often you enter a passcode
By default, you only have to enter a passcode once every 30 days. You'll always be asked for a passcode when you sign in from a different device for the first time.
To enter a passcode every time you sign in, uncheck the Don't ask again on this computer for 30 days option on the dialog that prompts you for a passcode.
Turning off two-factor authentication
If two-factor authentication is not a requirement, but you turned it on anyway, you can turn it off.
- In the Zendesk Support agent interface, click your user icon in the upper right and select View profile.
- Click the Security Settings tab.
- In the Two-Factor Authentication section, click Manage.
- Click Turn off 2FA.
41 comments
PAUL STRAUSS
If an agent's phone number changes, how can I change it so they continue to receive the SMS 2FA codes?
2
Wilfred Kaw
Hello @pstrauss,
An Agent can make this change in their own profile by following this process:
1) Select the Admin gear icon on the lefthand side of your Zendesk Support and choose People.
2) Search your own name and select edit.
3) Then select the 'Security settings' tab.
4) Once there, choose 'Edit' under 'Two-Factor Authentication'
5) Select Use SMS, and you'll be able to update the Two-Factor Authentication number.
You can learn more about Managing 2-factor authentication here:
Managing 2-factor authentication
-1
Lee Jones
If 2FA is already enabled, but set to SMS, is there a way to switch only selected users to "use mobile app" or is this a global setting. If it is switched over to "use mobile app" would it force the users to register the app on next log on, or simply provide an option.
Thanks
0
Juraj Jarmek
Hello @...,
Please note it is possible to have only one 2FA method, either SMS or the mobile app, not both.
The agents need to specify which they want to use themselves when setting up their 2FA.
If the 2FA method is switched from one to the other, the next time the agent signs on they would be forced to use that method.
Whatever the method, when the agent chooses the method, they will either have to scan the QR code with the mobile app, or provide a telephone number in their profile for the SMS.
Hope that clarifies!
1
Jeffery Birks
Given you already support google authenticator then there is a hardware token that can be used with zendesk - you can use a safeid/diamond token;
https://deepnetsecurity.com/authenticators/one-time-password/safeid/
The token is a programmable token so would be seeded using the same QR code you use when seeding the google authenticator app (you use an app on your phone or PC to program the token via NFC). Once programmed it generates the same OTP codes the google authenticator produces but is then a fully independent and self-powered device.
0
Dave Dyson
Thanks, Jeffrey!
0
Azaliya Sharipova
Hello,
I cannot log in to my Zendesk account (email asharipova@cloudlinux.com) because of the 2FA. I don't receive a message with a code, and the code from apps is not working. Can you please disable 2FA in my account or help me with a code?
0
Jeff C
Hello Azaliya,
Sorry about the trouble however Zendesk does not have the capability to disable 2FA on your account or provide you with a code unless there is no one else who is able to do it for you.
We suggest reaching out to any of the admins in your Support instance for assistance in this matter.
0
David Melik
End-users need this also; extremely poor/insecure/unsafe design.
2
mfg
I'd like to roll this out to our users, but I'm unclear what that would look like once I enable 2FA.. Could you explain how the users configure their phone number? Once rolled out, if they don't already have one, will they be prompted or sent an email to add a phone number?
0
Dane
The behavior when you enable 2FA is discussed in Enabling 2-Factor Authentication. Once your agent logs in, they will be prompted to enable it by mobile app or SMS.
Hope this helps!
0
Matt Newnham
I would like to request that 2FA be required on every log in. This is a security requirement from a government agency.
2
K.S.
The topic notes "2-factor authentication apps include Google Authenticator, Authy, Symantec VIP, and Duo Mobile." Can Microsoft Authenticator be used?
0
Dainne Kiara Lucena-Laxamana
Hi K.S.
Yes, Microsoft Authenticator can be used. Those are just the commonly used authenticators.
1
Ronald Lantong
Hello Dainne Kiara Lucena-Laxamana
I'm having trouble logging in; it says the authentication code is invalid even when I enter the code displayed in Google authentication via my mobile phone. I even tried a recovery code, but it didn't work. Please assist. Thanks!
1
Sravanthi Muppavarapu
Hello Team,
Does 2FA prompt for an approval when someone is logging through API?
0
Sabra
Hey Sravanthi Muppavarapu! If a user has 2FA enabled and attempts to use basic authentication (email/password) to authenticate their API call, there will not be a prompt for 2FA. Instead, the API call will fail with a 401 error due to 2FA being enabled. To successfully make API calls with 2FA enabled, we recommend one of the other authentication methods listed here: Security and authentication
0
K.S.
Can two factor authentication be used for user access? If not today, does Zendesk plan to offer this as an option?
0
Darenne
Hi K.S.,
When you say 2FA for user access, did you mean as a standard Zendesk sign-in? If so, I don't think this is an option yet as 2FA is a security system that requires two separate, distinct forms of identification in order to access the account and this is only used for another layer of security for your agents/admins.
I can mark this as feedback so our dev/product team can check and evaluate this! However, I'd like to manage your expectations that we can't provide an exact ETA but if there's an update about this, all our customers will be able to get about a new feature.
On the other hand, if this is not what you're referring to, kindly please provide us with more information about what you're trying to achieve so we can provide an accurate response.
0
K.S.
Hi Darenne,
We are looking for additional security when our users (end user consumer) signs in to our help desk. Ideally, we'd like to see both the following authentication options:
Since this is an end-user allowing them multiple options to authenticate would be crucial to a good user experience. Thanks!
0
Darenne
Hi K.S.,
Thanks for the clarification. At this time, unfortunately, we don't support this feature. I've taken a look and found that other users are discussing similar needs here: https://support.zendesk.com/hc/en-us/community/posts/4408860744346
You can up-vote that original post and add your detailed use case to the conversation. Threads with a high level of engagement ultimately get flagged for product managers to review when they go through roadmap planning.
Specific examples, details about impact, and how you currently handle things are the most helpful things to share to help our product teams understand the full scope of the need when working on solutions. We truly value customer feedback and your voice and votes on the product feedback topics in the community help influence future Zendesk functionality.
0
Aaron Peace
It looks like there is an important section of this article missing.
Quote:
If you are wanting to force all ZenDesk Agents to set up 2FA when they next log in, the ability to do so is referenced but never elaborated on. Please, find the option following the path below:
Admin Center > Security: Advanced > Authentication > Require two-factor authentication (2FA): Require all team members to use 2FA when they sign in to Zendesk.
I believe there is a separate article that again goes unreferenced here:
https://support.zendesk.com/hc/en-us/articles/4408826974874
0
Isobel Mills
As per security best practises we'd like to make it so that our team can only set up using an authenticator and not a mobile. Is this something that's possible, or is it on the security roadmap?
0
Jennifer Gillespie
How does enabling 2 -factor authentication impact Webhooks?
0
Joyce
Enabling 2-factor authentication will require the use of mobile devices. I'm afraid that there's currently no option to solely use an authenticator alone. I encourage you to create a new post in the General Product Feedback topic in our community to engage with other users who have similar needs and discuss possible workarounds. Conversations with a high level of engagement ultimately get flagged for product managers to review when they go through roadmap planning.
0
Joyce
Enabling 2-factor authentication should not have an impact with Webhooks. If your Webhooks uses API token that are generated from the Admin Center, those tokens are not used in 2-factor authentication. In addition, this should also not have any impact with Webhooks using basic authentication (username/password)
0
Steve Lacoss
If your webhooks uses basic authentication, you will have to update them to API token or Oauth when setting to require 2FA. This article explains the details.
https://developer.zendesk.com/documentation/ticketing/using-the-zendesk-api/using-the-api-with-2-factor-authentication-enabled/
0
Divya Moryani
Hello! I had set it up, however when I enter my 2FA from Authentication App i get "Re-enter the passcode and try again" error. Im not able to login to Zendesk,
Haven't changed my number also, Please help here.
0
Brett Bowser
I'm going to create a ticket on your behalf so our Customer Care team can look into this further with you.
You'll receive an email shortly stating your ticket has been created.
Cheers!
0
Yen Nhi Nguyen
Hello!
We currently have the 2FA activated for all agents. Is it possible to deactivate it for certain agents? As this option does not work if the 2FA is activated:
Is there another way to turn it off for specific agents? Thanks a lot!
0