Multi-Factor Authentication
Multi-Factor Authentication (MFA) adds an extra layer of security to your Zoho account. When MFA is enabled, every sign-in requires you to verify your identity beyond entering your password, preventing unauthorized access even if your password is compromised.
Since Zoho supports Single Sign-On (SSO), enabling MFA on your Zoho account protects access to all Zoho services, including Zoho Invoice, with a single configuration. For a conceptual overview of MFA, refer to the Introduction to Multi-Factor Authentication guide.
Scenario: Patricia manages invoicing for multiple clients and shares account access with a team member. To ensure no one can sign in to her Zoho Invoice account with just a password, even if it is exposed, she enables MFA. Every sign-in now requires a second verification step, blocking unauthorized access even when credentials are compromised.
Prerequisites: You need an active Zoho account with sign-in access to accounts.zoho.com.
Accessing MFA Settings
MFA is managed at the Zoho account level, not within Zoho Invoice directly.
- Go to accounts.zoho.com and sign in with your registered email address and password.
- Click Multi-Factor Authentication in the left sidebar.
The Multi-Factor Authentication page is divided into three sections: First-factor sign-in modes, MFA Modes, and MFA Recovery Options.
First-Factor Sign-In Modes
First-factor sign-in modes are the primary methods you use to verify your identity at sign-in. They can replace the traditional password entirely for a passwordless experience.
Zoho OneAuth
Zoho OneAuth is Zoho’s own authentication app. It supports passwordless sign-in, acts as an OTP authenticator for non-Zoho accounts, and offers mobile SSO, backup, and recovery.
To set up Zoho OneAuth:
- Click Set up Now next to Zoho OneAuth on the Multi-Factor Authentication page.
- Download the Zoho OneAuth app on your mobile device when prompted.
- Follow the on-screen instructions to link the app to your Zoho account.
Zoho OneAuth is now linked to your account and ready to use for sign-in.
Passkey
A passkey lets you sign in to your Zoho account using your mobile device without a password. It provides a phishing-resistant sign-in experience.
To set up a passkey:
- Click Set up Now next to Passkey on the Multi-Factor Authentication page.
- Follow the on-screen instructions to register a passkey using your mobile device.
Your passkey is now registered and ready for passwordless sign-in.
Other Available First-Factor Modes
The following additional first-factor modes are also available on the Multi-Factor Authentication page:
| Mode | Description |
|---|---|
| Email-based OTP | A one-time password is sent to your registered email address for verification. |
| SMS-based OTP | A one-time password is sent to your registered mobile number via SMS. |
| Linked Accounts | Sign in using a linked social or work account. |
| Password | Sign in using your standard Zoho account password. |
Click Manage next to any available mode to configure or update it.
MFA Modes
MFA modes add a mandatory second verification step after your primary sign-in. Once configured, you will be prompted to complete this step at every sign-in.
OTP Authenticator
An OTP authenticator app generates time-based, unique codes at fixed intervals. You enter the current code from the app to complete your sign-in. Any standard TOTP-compatible authenticator app, such as Google Authenticator, Microsoft Authenticator, or Authy, is supported.
To set up an OTP Authenticator:
- Click Set up Now next to OTP Authenticator on the Multi-Factor Authentication page.
- Open your authenticator app and scan the QR code displayed on the screen.
- Enter the six-digit code generated by the app to confirm the setup.
Security Key
A security key is a physical hardware device, typically a USB or NFC key, that you connect to your computer to verify your identity at sign-in. FIDO2-compatible keys, such as YubiKey, are supported.
To set up a security key:
- Click Set up Now next to Security Key on the Multi-Factor Authentication page.
- Insert your security key when prompted and follow the on-screen instructions to register it.
MFA Recovery Options
MFA recovery options let you regain account access if you lose the device associated with your MFA mode. Set these up immediately after enabling MFA.
Backup Verification Codes
Backup verification codes are single-use codes you can use to sign in when your regular MFA method is unavailable, for example, if you lose your phone.
- On the Multi-Factor Authentication page, scroll to the MFA Recovery Options section.
- Click Generate New Codes under Backup verification codes.
- Save the generated codes in a secure location. Each code can be used only once.
Note: The Generate New Codes button is enabled only after at least one MFA mode has been set up on your account.
Passphrase
A passphrase is a recovery key for Zoho OneAuth. If you lose access to the OneAuth app, you can use this passphrase to recover it.
- Click Generate Passphrase under Passphrase in the MFA Recovery Options section.
- Follow the prompts to create and store your passphrase securely.
Multi-Mode MFA
You can configure more than one MFA mode for your account. This gives you flexibility if your primary mode is unavailable at sign-in.
- One configured mode is set as your primary MFA mode and is used by default.
- If your primary mode is unavailable, you can switch to an alternate configured mode during sign-in.
MFA Lifetime and Trusted Browsers
By default, you are prompted to complete MFA verification at every sign-in. If you sign in regularly from the same device, you can mark your browser as trusted to reduce the frequency of MFA prompts.
- The default MFA trust duration for a trusted browser is 180 days. After 180 days, you will be prompted to complete MFA verification again.
- If your account is part of an organization, your administrator may reduce the trust duration or restrict the option to trust browsers entirely.
Org-Enforced MFA
If you are an organization administrator, you can enforce MFA for all users in your organization. After enforcement:
- All users will be prompted to configure MFA at their next sign-in.
- Users can only set up the MFA modes permitted by the organization’s policy.
- Settings enforced by the administrator will appear as Enforced by Admin on the individual user’s Multi-Factor Authentication page and cannot be changed by the user.
Refer to the Users and Roles help page to learn how to manage user access and organization-level security settings.
MFA and Third-Party Mail Clients
If you use a third-party email client, such as Microsoft Outlook or Mozilla Thunderbird, that does not support MFA, you may encounter sign-in errors (typically an “incorrect password” message). This happens because the client cannot complete the MFA verification step.
To resolve this, use an application-specific password:
- Go to accounts.zoho.com and click Security in the left sidebar.
- Select App Passwords from the Security sub-menu.
- Click Generate New Password and follow the prompts to create a password for the third-party client.
- Use this generated password in your mail client instead of your regular Zoho account password.
Application-specific passwords allow the client to connect to your account without requiring the MFA verification step.
Disabling or Re-Enabling MFA
To disable a configured MFA mode or switch to a different one:
- Go to accounts.zoho.com and click Multi-Factor Authentication in the left sidebar.
- Locate the active MFA mode you want to remove and follow the on-screen options to disable it.
Note: If MFA is enforced by your organization administrator, you may not be able to disable it independently. Contact your administrator for assistance.
Yes
No
Thank you for your feedback!
You might also find these helpful
Forgot Password and Reset
Learn how to reset your Zoho Invoice account password if you've forgotten it.
Change Account Email
Learn how to update the email address associated with your Zoho Invoice account.
Add Mobile Number
Learn how to add and verify a mobile number on your account, required for SMS-based MFA.