Two Factor Authentication (2 Step Verification)

Two factor authentication is an additional security process to secure your account by a combination of your password and a mobile device. This reduces the chance of your account being hacked into and protects your data with extra secure measures.

How Two Factor Authentication works:

Login via Web browser:

Step 1: User logs in with their Username and Password

Step 2: If the user password is correct, the user receives an additional secure code. (via SMS/ Voice call or QR Code as per TFA configuration)

Step 3: The user provides the secure code in the browser, to access the account.
The user can choose to remember the code in the particular browser in the system, for the next 45 days.  If the user accesses the system from a different browser or a different system, the user needs to provide a new code again to access the same account in a different system/ browser. 

Access via POP/ IMAP or Active Sync protocols:

Step 1: User generates a unique Application Specific Password for each external application used. 

Step 2: During the configuration of Zoho account in the application, provide the 16 digit Application Specific Password, instead of the regular password. 

Step 3: Upon successful validation, you will be able to access your account.

Application Specific Passwords never expire and hence you need not update the password in the application, even if your web password expires. You can revoke an application specific password from TFA settings, to prohibit/ ban access for the particular application. When a user resets the password, the user can choose to revoke authtokens, which will also revoke the application specific passwords. 

Zoho Mail Apps for iOS and Android (Apps created and published by Zoho):

Zoho Mail provides Zoho Mail and Inbox Insight for both iOS and Android devices for accessing Zoho Mail with its full set of features from smartphones. This does not require any application specific password to login. You just need to provide the Secure code to login to the app.

Step 1: Users logs in with Username and Password

Step 2: User gets a secure code via SMS/ Voice call or QR Code app linked with the account during set up.

Step 3: The user provides the secure code in the browser, to access the account. 
The user can choose to remember the code in the particular browser in the system, for the next 45 days.  If the user accesses the system from a different browser or a different system, the user needs to re-provide the code. 

Two Factor Authentication for Organizations

As a security measure, you can mandate the Two Factor Authentication (TFA) for the organization. All users must use the additional security code to login to their accounts. Hence make sure that each user has access to a mobile device to get the secure code via SMS/ Voice call or the mobile app with QR code scan option.

  1. Login to www.zoho.com/mail as Administrator
  2. Click Control Panel >> Dashboard >> Two Factor Authentication
     
  3. Select the option 'On' to enable and enforce Two Factor authentication for all users in the organization. 

Once you enable TFA, the users will choose the TFA Mode (SMS using mobile number or QR Code scanning), to set up their preferred Two Factor Authentication method, the next time they login. You can turn off the TFA, to disable TFA for the entire organization. 

However, the user needs to disable TFA again, if the TFA has been configured already for the account. 

Steps to Reset TFA for Specific Users:

The administrator can reset the TFA for users, in case they lost the mobile device or do not have access to the mobile device they used at the time of TFA activation. 

  1. Login to www.zoho.com/mail as Administrator
  2. Click Control Panel >> Mail Accounts >> Select the user
  3. Select Reset TFA for the user, to whom you want to reset the TFA process. 
     
  4. The next time the user logs in, the user can set up TFA from the beginning, providing a new mobile number/ Google Authenticator.

Steps to Enable/ Disable TFA for Specific Users:

 The administrator can enable or disable the TFA status for users from the Control Panel. 

  1. Login to http://www.zoho.com/mail as Super Admin
  2. Click Control Panel >> User Details
  3. Select Two Factor Authentication 
  4. Select 'Enable' or 'Disable' to enable/disable the Two Factor Authentication for the user. 

Generating Application Specific Passwords

The users need to generate and use application specific password when accessing the email account via POP/ IMAP or Active Sync, if Two Factor Authentication is enabled for the account. 

Steps to generate Application Specific Passwords:

  1. Login to http://www.zoho.com/mail as user
  2. Click My Account link in the top to view Zoho Accounts
  3. Select Two Factor Authentication >> Manage Application specific passwords. 
     
  4. Provide the device name and your current web login password in the page. The device name is just a reference name, for you to verify/ revoke in future. 
     
  5. Select 'Generate' to view the application specific password. 
     
  6. The device specific password will be displayed only once and will not be displayed again. 
  7. You need to use the password without any spaces in the device. 
  8. You can select Show generated passwords link to view the past generated time and device names. 
     
  9. You can revoke any password, if you no longer use the device or to remove access to the application.