If you sign in to Zendesk usingstandard Zendesk authentication, you can turn on two-factor authentication. Two-factor authentication makes it difficult for somebody else to sign in as you. After you enter your password as usual, you'll be asked to enter a 6-digit passcode. You can get the passcode from a text message (SMS) or a two-factor authentication app installed on your mobile device.
If you want to get your passcodes from a two-factor authentication app, install one on your mobile device before turning on two-factor authentication in Zendesk Support. Two-factor authentication apps includeGoogle Authenticator,Authy,Symantec VIP, andDuo Mobile. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.
By default, you only have to enter a passcode once every 30 days. You can choose to enter a passcode every time you sign in.
An admin canrequiretwo-factor authentication for all agents and administrators, but the admin can't set it up for them. You'll need to set it up the next time you sign in, as described inTurning on two-factor authentication. Even if it's not a requirement, you can still set up two-factor authentication for your own use.
This article covers the following topics:
Turning on two-factor authentication
- In the Zendesk Support agent interface, click your user icon in the upper right and selectView profile.
- Click theSecurity Settingstab.
- In theTwo-Factor Authenticationsection, clickManage.
- ClickSet up 2FA.
A dialog appears with two options to get the passcodes.
- Depending on how you want to get your passcodes when you sign in, selectAuthenticator apporSMS, then clickNext.
- Follow the onscreen instructions to set up two-factor authentication.For more information, see:
Configuring a two-factor authentication app
Make sure a two-factor authentication app is installed on your mobile device. Examples includeGoogle Authenticator,Authy,Symantec VIP, andDuo Mobile.
- If not already done, chooseAuthenticator appin theSet up two-factor authentication (2FA)dialog inTurning on two-factor authentication, then clickNext.
You are directed to theConnect your 2FA methodstep.
- Start the two-factor authentication app on your device, select the option to add an entry, and point your device's camera at the QR code (the blocky square) on the Zendesk dialog in your browser window.
The mobile app might refer to this action asScan Barcode.
The app should automatically scan the QR code and generate a passcode. If you have trouble scanning the QR code, you can manually enter the secret key that's provided.
Note:Scanning the barcode is a one-time-only step. - Enter the 6-digit passcode generated by the app, then clickSave.
A notification email is sent to your email address.
- Download your recovery codes from the notification email. If you lose your phone or can't access your device, the recovery codes are the only way to access your account again. SeeUsing and getting more recovery codes.
From now on, when you sign in, you can get a valid passcode by simply opening a two-factor authentication app on your device. The app displays a valid passcode on the opening screen. You typically get 60 seconds to use it before it expires, then the app displays a new passcode.
The app doesn't need an Internet connection to display valid passcodes.
Configuring text messages (SMS)
- If not already done, chooseSMSin theSet up two-factor authentication (2FA)dialog inTurning on two-factor authentication, then clickNext.
- Enter a phone number that can receive text messages, then clickSend passcode.
A text message will be sent to the number shortly.
Note:The phone number must be in E.164 format. - Enter the 6-digit code sent to you, then clickSave.
- Download your recovery codes from the notification email you receive after enabling two-factor authentication. If you lose your phone or can't access your device, recovery codes are the only way to reaccess your account. SeeUsing your recovery codes.
From now on, when you sign in, you can get a valid passcode from a text message sent to your phone.
Changing how often you enter a passcode
By default, you only have to enter a passcode once every 30 days. You'll always be asked for a passcode when you sign in from a different device for the first time.
To enter a passcode every time you sign in, uncheck theDon't ask again on this computer for 30 daysoption on the dialog that prompts you for a passcode:
Turning off two-factor authentication
If two-factor authentication is not a requirement, but you turned it on anyway, you can turn it off.
- In the Zendesk Support agent interface, click your user icon in the upper right and selectView profile.
- Click theSecurity Settingstab.
- In theTwo-Factor Authenticationsection, clickManage.
- ClickTurn off 2FA.
Using and getting more recovery codes
If you lose your phone or can't access your device, you can use one of your recovery codes to reaccess your account. When prompted for a passcode at sign-in, enter one of your recovery codes.
You can only use each code once. If you use up all your codes, you can ask your Zendesk admin or account owner to get a recovery code for you. SeeGetting a recovery code for someone else.
After you're signed in, you can get another set of recovery codes from your user profile page as follows:
- In the Zendesk Support agent interface, click your profile icon in the upper-right and selectView profile.
- Click theSecurity Settingstab.
- In theTwo-Factor Authenticationsection, clickManage.
- ClickDownload recovery codes.
27 Comments
If an agent's phone number changes, how can I change it so they continue to receive the SMS 2FA codes?
Hello @pstrauss,
An Agent can make this change in their own profile by following this process:
1) Select the Admin gear icon on the lefthand side of your Zendesk Support and choose People.
2) Search your own name and select edit.
3) Then select the 'Security settings' tab.
4) Once there, choose 'Edit' under 'Two-Factor Authentication'
5) Select Use SMS, and you'll be able to update the Two-Factor Authentication number.
您可以了解更多关于管理因子authentication here:
Managing 2-factor authentication
If 2FA is already enabled, but set to SMS, is there a way to switch only selected users to "use mobile app" or is this a global setting. If it is switched over to "use mobile app" would it force the users to register the app on next log on, or simply provide an option.
Thanks
Hello@...,
Please note it is possible to have only one 2FA method, either SMS or the mobile app, not both.
The agents need to specify which they want to use themselves when setting up their 2FA.
If the 2FA method is switched from one to the other, the next time the agent signs on they would be forced to use that method.
Whatever the method, when the agent chooses the method, they will either have to scan the QR code with the mobile app, or provide a telephone number in their profile for the SMS.
Hope that clarifies!
Given you already support google authenticator then there is a hardware token that can be used with zendesk - you can use a safeid/diamond token;
https://deepnetsecurity.com/authenticators/one-time-password/safeid/
The token is a programmable token so would be seeded using the same QR code you use when seeding the google authenticator app (you use an app on your phone or PC to program the token via NFC). Once programmed it generates the same OTP codes the google authenticator produces but is then a fully independent and self-powered device.
Thanks, Jeffrey!
Hello,
I cannot log in to my Zendesk account (emailasharipova@cloudlinux.com) because of the 2FA. I don't receive a message with a code, and the code from apps is not working. Can you please disable 2FA in my account or help me with a code?
Hello Azaliya,
Sorry about the trouble however Zendesk does not have the capability to disable 2FA on your account or provide you with a code unless there is no one else who is able to do it for you.
We suggest reaching out to any of the admins in your Support instance for assistance in this matter.
End-users need this also; extremely poor/insecure/unsafe design.
I'd like to roll this out to our users, but I'm unclear what that would look like once I enable 2FA.. Could you explain how the users configure their phone number? Once rolled out, if they don't already have one, will they be prompted or sent an email to add a phone number?
The behavior when you enable 2FA is discussed inEnabling 2-Factor Authentication. Once your agent logs in, they will be prompted to enable it by mobile app or SMS.
Hope this helps!
I would like to request that 2FA be required on every log in. This is a security requirement from a government agency.
The topic notes "2-factor authentication apps include Google Authenticator, Authy, Symantec VIP, and Duo Mobile."Can Microsoft Authenticator be used?
HiStan Kutzko
Yes, Microsoft Authenticator can be used. Those are just the commonly used authenticators.
HelloDainne Lucena
I'm having trouble logging in; it says the authentication code is invalid even when I enter the code displayed in Google authentication via my mobile phone. I even tried a recovery code, but it didn't work. Please assist. Thanks!
Hello Team,
Does 2FA prompt for an approval when someone is logging through API?
HeySravanthi Muppavarapu! If a user has 2FA enabled and attempts to use basic authentication (email/password) to authenticate their API call, there will not be a prompt for 2FA. Instead, the API call will fail with a 401 error due to 2FA being enabled. To successfully make API calls with 2FA enabled, we recommend one of the other authentication methods listed here:Security and authentication
Can two factor authentication be used for user access? If not today, does Zendesk plan to offer this as an option?
HiStan Kutzko,
When you say 2FA for user access, did you mean as a standard Zendesk sign-in? If so, I don't think this is an option yet as 2FA is a security system that requires two separate, distinct forms of identification in order to access the account and this is only used for another layer of security for your agents/admins.
I can mark this as feedback so our dev/product team can check and evaluate this! However, I'd like to manage your expectations that we can't provide an exact ETA but if there's an update about this, all our customers will be able to get about a new feature.
On the other hand, if this is not what you're referring to, kindly please provide us with more information about what you're trying to achieve so we can provide an accurate response.
Hi Darenne,
我们正在寻找额外的安全当我们的我们ers (end user consumer) signs in to our help desk. Ideally, we'd like to see both the following authentication options:
Since this is an end-user allowing them multiple options to authenticate would be crucial to a good user experience. Thanks!
HiStan Kutzko,
Thanks for the clarification. At this time, unfortunately, we don't support this feature. I've taken a look and found that other users are discussing similar needs here:https://support.zendesk.com/hc/en-us/community/posts/4408860744346
You can up-vote that original post and add your detailed use case to the conversation. Threads with a high level of engagement ultimately get flagged for product managers to review when they go through roadmap planning.
具体的例子,细节的影响,以及如何you currently handle things are the most helpful things to share to help our product teams understand the full scope of the need when working on solutions. We truly value customer feedback and your voice and votes on the product feedback topics in the community help influence future Zendesk functionality.
It looks like there is an important section of this article missing.
Quote:
If you are wanting to force all ZenDesk Agents to set up 2FA when they next log in, the ability to do so is referenced but never elaborated on. Please, find the option following the path below:
Admin Center > Security: Advanced > Authentication > Require two-factor authentication (2FA): Require all team members to use 2FA when they sign in to Zendesk.
I believe there is a separate article that again goes unreferenced here:
https://support.zendesk.com/hc/en-us/articles/4408826974874
As per security best practises we'd like to make it so that our team canonlyset up using an authenticator and not a mobile. Is this something that's possible, or is it on the security roadmap?
How does enabling 2 -factor authentication impact Webhooks?
Enabling 2-factor authentication will require the use of mobile devices. I'm afraid that there's currently no option to solely use an authenticator alone. I encourage you to create a new post in theGeneral Product Feedback topicin our community to engage with other users who have similar needs and discuss possible workarounds. Conversations with a high level of engagement ultimately get flagged for product managers to review when they go through roadmap planning.
Enabling 2-factor authentication should not have an impact with Webhooks. If your Webhooks usesAPI tokenthat are generated from the Admin Center, those tokens are not used in 2-factor authentication. In addition, this should also not have any impact with Webhooks using basic authentication (username/password)
如果您的人则使用基本真实ation, you will have to update them to API token or Oauth when setting to require 2FA. This article explains the details.
https://developer.zendesk.com/documentation/ticketing/using-the-zendesk-api/using-the-api-with-2-factor-authentication-enabled/
Pleasesign into leave a comment.