## Zoho Invoice — Product, features, payments, integrations, solutions, and help Index Access the complete documentation index at: https://www.zoho.com/kw/invoice/llms.txt Use this file to discover all available documentation pages before proceeding. # Multi-Factor Authentication Multi-Factor Authentication (MFA) adds an extra layer of security to your Zoho account. When MFA is enabled, every sign-in requires you to verify your identity beyond entering your password, preventing unauthorized access even if your password is compromised. Since Zoho supports Single Sign-On (SSO), enabling MFA on your Zoho account protects access to all Zoho services, including Zoho Invoice, with a single configuration. For a conceptual overview of MFA, refer to the [Introduction to Multi-Factor Authentication](https://help.zoho.com/portal/en/kb/accounts/multi-factor-authentication/articles/mfa-introduction) guide. **Scenario:** Patricia manages invoicing for multiple clients and shares account access with a team member. To ensure no one can sign in to her Zoho Invoice account with just a password, even if it is exposed, she enables MFA. Every sign-in now requires a second verification step, blocking unauthorized access even when credentials are compromised. **Prerequisites:** You need an active Zoho account with sign-in access to [accounts.zoho.com](https://accounts.zoho.com/). ## Accessing MFA Settings MFA is managed at the Zoho account level, not within Zoho Invoice directly. 1. Go to [accounts.zoho.com](https://accounts.zoho.com/) and sign in with your registered email address and password. 2. Click **Multi-Factor Authentication** in the left sidebar. The _Multi-Factor Authentication_ page is divided into three sections: _First-factor sign-in modes_, _MFA Modes_, and _MFA Recovery Options_. ## First-Factor Sign-In Modes First-factor sign-in modes are the primary methods you use to verify your identity at sign-in. They can replace the traditional password entirely for a passwordless experience. ### Zoho OneAuth Zoho OneAuth is Zoho’s own authentication app. It supports passwordless sign-in, acts as an OTP authenticator for non-Zoho accounts, and offers mobile SSO, backup, and recovery. To set up Zoho OneAuth: 1. Click **Set up Now** next to **Zoho OneAuth** on the _Multi-Factor Authentication_ page. 2. Download the Zoho OneAuth app on your mobile device when prompted. 3. Follow the on-screen instructions to link the app to your Zoho account. Zoho OneAuth is now linked to your account and ready to use for sign-in. ### Passkey A passkey lets you sign in to your Zoho account using your mobile device without a password. It provides a phishing-resistant sign-in experience. To set up a passkey: 1. Click **Set up Now** next to **Passkey** on the _Multi-Factor Authentication_ page. 2. Follow the on-screen instructions to register a passkey using your mobile device. Your passkey is now registered and ready for passwordless sign-in. ### Other Available First-Factor Modes The following additional first-factor modes are also available on the _Multi-Factor Authentication_ page: Mode Description **Email-based OTP** A one-time password is sent to your registered email address for verification. **SMS-based OTP** A one-time password is sent to your registered mobile number via SMS. **Linked Accounts** Sign in using a linked social or work account. **Password** Sign in using your standard Zoho account password. Click **Manage** next to any available mode to configure or update it. ## MFA Modes MFA modes add a mandatory second verification step after your primary sign-in. Once configured, you will be prompted to complete this step at every sign-in. ### OTP Authenticator An OTP authenticator app generates time-based, unique codes at fixed intervals. You enter the current code from the app to complete your sign-in. Any standard TOTP-compatible authenticator app, such as Google Authenticator, Microsoft Authenticator, or Authy, is supported. To set up an OTP Authenticator: 1. Click **Set up Now** next to **OTP Authenticator** on the _Multi-Factor Authentication_ page. 2. Open your authenticator app and scan the QR code displayed on the screen. 3. Enter the six-digit code generated by the app to confirm the setup. ### Security Key A security key is a physical hardware device, typically a USB or NFC key, that you connect to your computer to verify your identity at sign-in. FIDO2-compatible keys, such as YubiKey, are supported. To set up a security key: 1. Click **Set up Now** next to **Security Key** on the _Multi-Factor Authentication_ page. 2. Insert your security key when prompted and follow the on-screen instructions to register it. ## MFA Recovery Options MFA recovery options let you regain account access if you lose the device associated with your MFA mode. Set these up immediately after enabling MFA. ### Backup Verification Codes Backup verification codes are single-use codes you can use to sign in when your regular MFA method is unavailable, for example, if you lose your phone. 1. On the _Multi-Factor Authentication_ page, scroll to the **MFA Recovery Options** section. 2. Click **Generate New Codes** under **Backup verification codes**. 3. Save the generated codes in a secure location. Each code can be used only once. **Note:** The **Generate New Codes** button is enabled only after at least one MFA mode has been set up on your account. ### Passphrase A passphrase is a recovery key for Zoho OneAuth. If you lose access to the OneAuth app, you can use this passphrase to recover it. 1. Click **Generate Passphrase** under **Passphrase** in the _MFA Recovery Options_ section. 2. Follow the prompts to create and store your passphrase securely. ## Multi-Mode MFA You can configure more than one MFA mode for your account. This gives you flexibility if your primary mode is unavailable at sign-in. * One configured mode is set as your **primary** MFA mode and is used by default. * If your primary mode is unavailable, you can switch to an alternate configured mode during sign-in. ## MFA Lifetime and Trusted Browsers By default, you are prompted to complete MFA verification at every sign-in. If you sign in regularly from the same device, you can mark your browser as trusted to reduce the frequency of MFA prompts. * The default MFA trust duration for a trusted browser is **180 days**. After 180 days, you will be prompted to complete MFA verification again. * If your account is part of an organization, your administrator may reduce the trust duration or restrict the option to trust browsers entirely. ## Org-Enforced MFA If you are an organization administrator, you can enforce MFA for all users in your organization. After enforcement: * All users will be prompted to configure MFA at their next sign-in. * Users can only set up the MFA modes permitted by the organization’s policy. * Settings enforced by the administrator will appear as **Enforced by Admin** on the individual user’s _Multi-Factor Authentication_ page and cannot be changed by the user. Refer to the [Users and Roles](/kw/invoice/help/settings/users.html) help page to learn how to manage user access and organization-level security settings. ## MFA and Third-Party Mail Clients If you use a third-party email client, such as Microsoft Outlook or Mozilla Thunderbird, that does not support MFA, you may encounter sign-in errors (typically an “incorrect password” message). This happens because the client cannot complete the MFA verification step. To resolve this, use an application-specific password: 1. Go to [accounts.zoho.com](https://accounts.zoho.com/) and click **Security** in the left sidebar. 2. Select **App Passwords** from the _Security_ sub-menu. 3. Click **Generate New Password** and follow the prompts to create a password for the third-party client. 4. Use this generated password in your mail client instead of your regular Zoho account password. Application-specific passwords allow the client to connect to your account without requiring the MFA verification step. ## Disabling or Re-Enabling MFA To disable a configured MFA mode or switch to a different one: 1. Go to [accounts.zoho.com](https://accounts.zoho.com/) and click **Multi-Factor Authentication** in the left sidebar. 2. Locate the active MFA mode you want to remove and follow the on-screen options to disable it. **Note:** If MFA is enforced by your organization administrator, you may not be able to disable it independently. Contact your administrator for assistance. ## You might also find these helpful [ ### Forgot Password and Reset Learn how to reset your Zoho Invoice account password if you've forgotten it. ](/invoice/kb/general/forgot-password.html?src=help-other-resources)[ ### Change Account Email Learn how to update the email address associated with your Zoho Invoice account. ](/invoice/kb/general/change-account-email.html?src=help-other-resources)[ ### Add Mobile Number Learn how to add and verify a mobile number on your account, required for SMS-based MFA. ](/invoice/kb/general/add-mobile-number.html?src=help-other-resources)