If you sign in to Zendesk usingstandard Zendesk authentication, you can turn on 2-factor authentication. 2-factor authentication makes it difficult for somebody else to sign in as you. After you enter your password as usual, you'll be asked to enter a 6-digit passcode. You can get the passcode from a text message (SMS) or from a 2-factor authentication app installed on your mobile device.
If you want to get your passcodes from a 2-factor authentication app, install one on your mobile device before enabling 2-factor authentication in Zendesk Support. 2-factor authentication apps includeGoogle Authenticator,Authy,Symantec VIP, andDuo Mobile. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.
By default, you only have to enter a passcode once every 30 days. You can choose to enter a passcode every time you sign in.
An admin canrequire2-factor authentication for all agents and administrators, but the admin can't set it up for them. You'll need to set it up the next time you sign in, as described inEnabling 2-factor authenticationbelow. Even if it's not a requirement, you can still set up 2-factor authentication for your own use.
Topics covered in this article:
Enabling 2-factor authentication
- In the Zendesk Support agent interface, click your user icon in the upper right and selectView profile.
- Open theSecurity Settingstab.
- In theEnable Two-factor Authentication部分中,点击Enable.
A dialog box appears with two options to get the passcodes.
- Depending on how you want to get your passcodes when you sign in, selectUse mobile apporUse SMS, and follow the onscreen instructions. For more information, see:
配置一个2-factor authentication app
Make sure a 2-factor authentication app is installed on your mobile device. Examples includeGoogle Authenticator,Authy,Symantec VIP, andDuo Mobile.
- If not already done, chooseUse Mobile Appin theEnable two-factor authenticationdialog box inEnabling 2-factor authentication.
The following dialog box appears:
- 启动因子认证应用井斜ce, select the option to add an entry, and point your device's camera at the QR code (the blocky square) on the Zendesk dialog box in your browser window.
The mobile app might refer to this action asScan Barcode.
The app should automatically scan the QR code and generate a passcode. If you have trouble scanning the QR code, you can manually enter the secret key that's provided.
Note:Scanning the barcode is a one-time-only step. - In the Zendesk dialog box in your browser, clickNextto go to step 2 of the configuration process, enter the 6-digit passcode generated by the app, and clickVerify.
A notification email is sent to your email address.
- Download your recovery codes from the notification email. If you lose your phone or can't access your device for any reason, the recovery codes are the only way to access your account again. SeeUsing your recovery codesbelow.
From now on when you sign in, you can get a valid passcode by simply opening a 2-factor authentication app on your device. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.
The app doesn't need an Internet connection to display valid passcodes.
Configuring text messages (SMS)
- If not already done, chooseUse SMSin theEnable two-factor authenticationdialog box inEnabling 2-factor authentication.
- Enter a phone number that can receive text messages and clickNext.
A text message will be sent to the number shortly.
Note:The phone number must be in E.164 format. - Enter the 6-digit code sent to you and clickVerify.
- Download your recovery codes from the notification email you receive after enabling 2-factor authentication. If you lose your phone or can't access your device for any reason, recovery codes are the only way to access your account again. SeeUsing your recovery codesbelow.
From now on when you sign in, you can get a valid passcode from a text message sent to your phone.
Changing how often you enter a passcode
By default, you only have to enter a passcode once every 30 days. You'll always be asked for a passcode when you sign in from a different device for the first time.
To enter a passcode every time you sign in, uncheck theDon't ask again on this computer for 30 daysoption on the dialog box that prompts you for a passcode:
Disabling 2-factor authentication
If 2-factor authentication is not a requirement but you enabled it anyway, you can disable it as follows:
- In the Zendesk Support agent interface, click your user icon in the upper right and selectView profile.
- Select theSecurity Settingstab, then clickEditin theTwo-factor Authenticationsection.
- Click the link on the lower side of the screen to turn off 2-factor authentication.
Using and getting more recovery codes
If you lose your phone or can't access your device for any reason, you can use one of your recovery codes to access your account again. You can only use each code once.
- When prompted for a passcode at sign-in, enter one of your recovery codes.
If you use up all your codes, you can ask your Zendesk account owner to get a recovery code for you. Refer toGetting a recovery code for someone else.
Once you're signed in, you can get another set of recovery codes from your user profile page as follows:
- In the Zendesk Support agent interface, click your profile icon in the upper-right and selectView profile.
- Open theSecurity Settingstab and clickDownload Recovery Codes.
14 Comments
If an agent's phone number changes, how can I change it so they continue to receive the SMS 2FA codes?
Hello @pstrauss,
An Agent can make this change in their own profile by following this process:
1) Select the Admin gear icon on the lefthand side of your Zendesk Support and choose People.
2) Search your own name and select edit.
3) Then select the 'Security settings' tab.
4) Once there, choose 'Edit' under 'Two-Factor Authentication'
5) Select Use SMS, and you'll be able to update the Two-Factor Authentication number.
You can learn more about Managing 2-factor authentication here:
Managing 2-factor authentication
If 2FA is already enabled, but set to SMS, is there a way to switch only selected users to "use mobile app" or is this a global setting. If it is switched over to "use mobile app" would it force the users to register the app on next log on, or simply provide an option.
Thanks
Hello@...,
Please note it is possible to have only one 2FA method, either SMS or the mobile app, not both.
The agents need to specify which they want to use themselves when setting up their 2FA.
If the 2FA method is switched from one to the other, the next time the agent signs on they would be forced to use that method.
Whatever the method, when the agent chooses the method, they will either have to scan the QR code with the mobile app, or provide a telephone number in their profile for the SMS.
Hope that clarifies!
Given you already support google authenticator then there is a hardware token that can be used with zendesk - you can use a safeid/diamond token;
https://deepnetsecurity.com/authenticators/one-time-password/safeid/
The token is a programmable token so would be seeded using the same QR code you use when seeding the google authenticator app (you use an app on your phone or PC to program the token via NFC). Once programmed it generates the same OTP codes the google authenticator produces but is then a fully independent and self-powered device.
Thanks, Jeffrey!
Hello,
I cannot log in to my Zendesk account (emailasharipova@cloudlinux.com) because of the 2FA. I don't receive a message with a code, and the code from apps is not working. Can you please disable 2FA in my account or help me with a code?
Hello Azaliya,
Sorry about the trouble however Zendesk does not have the capability to disable 2FA on your account or provide you with a code unless there is no one else who is able to do it for you.
We suggest reaching out to any of the admins in your Support instance for assistance in this matter.
End-users need this also; extremely poor/insecure/unsafe design.
I'd like to roll this out to our users, but I'm unclear what that would look like once I enable 2FA.. Could you explain how the users configure their phone number? Once rolled out, if they don't already have one, will they be prompted or sent an email to add a phone number?
The behavior when you enable 2FA is discussed inEnabling 2-Factor Authentication. Once your agent logs in, they will be prompted to enable it by mobile app or SMS.
Hope this helps!
我我们uld like to request that 2FA be required on every log in. This is a security requirement from a government agency.
The topic notes "2-factor authentication apps include Google Authenticator, Authy, Symantec VIP, and Duo Mobile."Can Microsoft Authenticator be used?
HiStan Kutzko
Yes, Microsoft Authenticator can be used. Those are just the commonly used authenticators.
Pleasesign into leave a comment.