If you sign in to Zendesk using standard Zendesk authentication, you can turn on 2-factor authentication. 2-factor authentication makes it difficult for somebody else to sign in as you. After you enter your password as usual, you'll be asked to enter a 6-digit passcode. You can get the passcode from a text message (SMS) or from a 2-factor authentication app installed on your mobile device.
If you want to get your passcodes from a 2-factor authentication app, install one on your mobile device before enabling 2-factor authentication in Zendesk Support. 2-factor authentication apps include Google Authenticator, Authy, Symantec VIP, and Duo Mobile. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.
By default, you only have to enter a passcode once every 30 days. You can choose to enter a passcode every time you sign in.
An admin can require 2-factor authentication for all agents and administrators, but the admin can't set it up for them. You'll need to set it up the next time you sign in, as described in Enabling 2-factor authentication below. Even if it's not a requirement, you can still set up 2-factor authentication for your own use.
Topics covered in this article:
Enabling 2-factor authentication
- In the Zendesk Support agent interface, click your user icon in the upper right and select View profile.
- Open the Security Settings tab.
- In the Enable Two-factor Authentication section, click Enable.
A dialog box appears with two options to get the passcodes.
- Depending on how you want to get your passcodes when you sign in, select Use mobile app or Use SMS, and follow the onscreen instructions. For more information, see:
Configuring a 2-factor authentication app
Make sure a 2-factor authentication app is installed on your mobile device. Examples include Google Authenticator, Authy, Symantec VIP, and Duo Mobile.
- If not already done, choose Use Mobile App in the Enable two-factor authentication dialog box in Enabling 2-factor authentication.
The following dialog box appears:
- Start the 2-factor authentication app on your device, select the option to add an entry, and point your device's camera at the QR code (the blocky square) on the Zendesk dialog box in your browser window.
The mobile app might refer to this action as Scan Barcode.
The app should automatically scan the QR code and generate a passcode. If you have trouble scanning the QR code, you can manually enter the secret key that's provided.
Note: Scanning the barcode is a one-time-only step. - In the Zendesk dialog box in your browser, click Next to go to step 2 of the configuration process, enter the 6-digit passcode generated by the app, and click Verify.
A notification email is sent to your email address.
- Download your recovery codes from the notification email. If you lose your phone or can't access your device for any reason, the recovery codes are the only way to access your account again. See Using your recovery codes below.
From now on when you sign in, you can get a valid passcode by simply opening a 2-factor authentication app on your device. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.
The app doesn't need an Internet connection to display valid passcodes.
Configuring text messages (SMS)
- If not already done, choose Use SMS in the Enable two-factor authentication dialog box in Enabling 2-factor authentication.
- Enter a phone number that can receive text messages and click Next.
A text message will be sent to the number shortly.
Note: The phone number must be in E.164 format. - Enter the 6-digit code sent to you and click Verify.
- Download your recovery codes from the notification email you receive after enabling 2-factor authentication. If you lose your phone or can't access your device for any reason, recovery codes are the only way to access your account again. See Using your recovery codes below.
From now on when you sign in, you can get a valid passcode from a text message sent to your phone.
Changing how often you enter a passcode
By default, you only have to enter a passcode once every 30 days. You'll always be asked for a passcode when you sign in from a different device for the first time.
To enter a passcode every time you sign in, uncheck the Don't ask again on this computer for 30 days option on the dialog box that prompts you for a passcode:
Disabling 2-factor authentication
If 2-factor authentication is not a requirement but you enabled it anyway, you can disable it as follows:
- In the Zendesk Support agent interface, click your user icon in the upper right and select View profile.
- Select the Security Settings tab, then click Edit in the Two-factor Authentication section.
- Click the link on the lower side of the screen to turn off 2-factor authentication.
Using and getting more recovery codes
If you lose your phone or can't access your device for any reason, you can use one of your recovery codes to access your account again. You can only use each code once.
- When prompted for a passcode at sign-in, enter one of your recovery codes.
If you use up all your codes, you can ask your Zendesk account owner to get a recovery code for you. Refer to Getting a recovery code for someone else.
Once you're signed in, you can get another set of recovery codes from your user profile page as follows:
- In the Zendesk Support agent interface, click your profile icon in the upper-right and select View profile.
- Open the Security Settings tab and click Download Recovery Codes.
21 Comments
If an agent's phone number changes, how can I change it so they continue to receive the SMS 2FA codes?
Hello @pstrauss,
An Agent can make this change in their own profile by following this process:
1) Select the Admin gear icon on the lefthand side of your Zendesk Support and choose People.
2) Search your own name and select edit.
3) Then select the 'Security settings' tab.
4) Once there, choose 'Edit' under 'Two-Factor Authentication'
5) Select Use SMS, and you'll be able to update the Two-Factor Authentication number.
You can learn more about Managing 2-factor authentication here:
Managing 2-factor authentication
If 2FA is already enabled, but set to SMS, is there a way to switch only selected users to "use mobile app" or is this a global setting. If it is switched over to "use mobile app" would it force the users to register the app on next log on, or simply provide an option.
Thanks
Hello @...,
Please note it is possible to have only one 2FA method, either SMS or the mobile app, not both.
The agents need to specify which they want to use themselves when setting up their 2FA.
If the 2FA method is switched from one to the other, the next time the agent signs on they would be forced to use that method.
Whatever the method, when the agent chooses the method, they will either have to scan the QR code with the mobile app, or provide a telephone number in their profile for the SMS.
Hope that clarifies!
Given you already support google authenticator then there is a hardware token that can be used with zendesk - you can use a safeid/diamond token;
https://deepnetsecurity.com/authenticators/one-time-password/safeid/
The token is a programmable token so would be seeded using the same QR code you use when seeding the google authenticator app (you use an app on your phone or PC to program the token via NFC). Once programmed it generates the same OTP codes the google authenticator produces but is then a fully independent and self-powered device.
Thanks, Jeffrey!
Hello,
I cannot log in to my Zendesk account (email asharipova@cloudlinux.com) because of the 2FA. I don't receive a message with a code, and the code from apps is not working. Can you please disable 2FA in my account or help me with a code?
Hello Azaliya,
Sorry about the trouble however Zendesk does not have the capability to disable 2FA on your account or provide you with a code unless there is no one else who is able to do it for you.
We suggest reaching out to any of the admins in your Support instance for assistance in this matter.
End-users need this also; extremely poor/insecure/unsafe design.
I'd like to roll this out to our users, but I'm unclear what that would look like once I enable 2FA.. Could you explain how the users configure their phone number? Once rolled out, if they don't already have one, will they be prompted or sent an email to add a phone number?
The behavior when you enable 2FA is discussed in Enabling 2-Factor Authentication. Once your agent logs in, they will be prompted to enable it by mobile app or SMS.
Hope this helps!
I would like to request that 2FA be required on every log in. This is a security requirement from a government agency.
The topic notes "2-factor authentication apps include Google Authenticator, Authy, Symantec VIP, and Duo Mobile." Can Microsoft Authenticator be used?
Hi Stan Kutzko
Yes, Microsoft Authenticator can be used. Those are just the commonly used authenticators.
Hello Dainne Lucena
I'm having trouble logging in; it says the authentication code is invalid even when I enter the code displayed in Google authentication via my mobile phone. I even tried a recovery code, but it didn't work. Please assist. Thanks!
Hello Team,
Does 2FA prompt for an approval when someone is logging through API?
Hey Sravanthi Muppavarapu! If a user has 2FA enabled and attempts to use basic authentication (email/password) to authenticate their API call, there will not be a prompt for 2FA. Instead, the API call will fail with a 401 error due to 2FA being enabled. To successfully make API calls with 2FA enabled, we recommend one of the other authentication methods listed here: Security and authentication
Can two factor authentication be used for user access? If not today, does Zendesk plan to offer this as an option?
Hi Stan Kutzko,
When you say 2FA for user access, did you mean as a standard Zendesk sign-in? If so, I don't think this is an option yet as 2FA is a security system that requires two separate, distinct forms of identification in order to access the account and this is only used for another layer of security for your agents/admins.
I can mark this as feedback so our dev/product team can check and evaluate this! However, I'd like to manage your expectations that we can't provide an exact ETA but if there's an update about this, all our customers will be able to get about a new feature.
On the other hand, if this is not what you're referring to, kindly please provide us with more information about what you're trying to achieve so we can provide an accurate response.
Hi Darenne,
We are looking for additional security when our users (end user consumer) signs in to our help desk. Ideally, we'd like to see both the following authentication options:
Since this is an end-user allowing them multiple options to authenticate would be crucial to a good user experience. Thanks!
Hi Stan Kutzko,
Thanks for the clarification. At this time, unfortunately, we don't support this feature. I've taken a look and found that other users are discussing similar needs here: https://support.zendesk.com/hc/en-us/community/posts/4408860744346
You can up-vote that original post and add your detailed use case to the conversation. Threads with a high level of engagement ultimately get flagged for product managers to review when they go through roadmap planning.
Specific examples, details about impact, and how you currently handle things are the most helpful things to share to help our product teams understand the full scope of the need when working on solutions. We truly value customer feedback and your voice and votes on the product feedback topics in the community help influence future Zendesk functionality.
Please sign in to leave a comment.