Two Factor Authentication
(Applicable only for Organization Administrators)
If you would like to tighten the protective controls over your secrets stored in Vault, you can always add an extra layer of security by enabling Two Factor Authentication for your Zoho account. But, do note that this enforcement will apply for all users of your organization and TFA will be enforced for all Zoho services, including Zoho Vault. Accessing any Zoho service through mobile apps and mobile browsers will also be required to go through TFA.
A) Enabling TFA:
In order to activate TFA from your Zoho Vault, go to Admin >> Two Factor Authentication and click on 'Enforce TFA'. A small window will pop-up requesting you to input your Zoho account password for the purpose of re-authentication before proceeding. Entering the password itself will complete the process and enforce TFA on your users to access their Zoho accounts.
B) Setting up TFA for your account
1. To begin, you need to first login to your account with the usual credentials. Next, the following screen will be displayed asking you to choose an authentication mode for verification.
2. If you choose the SMS message/voice call mode, you will receive a uniquely generated verification code to your phone either as a voice call or as an SMS text after inputting your number. Alternatively, you can also use the Google Authenticator app on your smart phones to generate the second factor code.
- Verification through SMS text/Voice Call
- Verification through Google Authenticator
Note : If you trust the browser in which you operate and do not want to be prompted for the code again, you can check the 'Trusted Browsers' box (as shown in the above image) and you will not be asked for your code when using this browser on this computer.
3. If you wish to use Touch ID / Push Notifcation / Scan QR / Time-Based OTP as your second-factor, you need to install Zoho's OneAuth application to your mobile device. The OneAuth app is available on Android and iOS stores. You should logout from the existing session and sign in again after any one of TFA mode is turned on via Zoho OneAuth mobile application.
C) Backup Factors: Once you are through with your verification process, you are also given a couple of backup options to ensure that you are not locked out of your account, in the event you do not receive your authentication code on your mobile.
Backup Phone: You can enter an additional mobile number to which the verification code could be resent to, in case your primary registered device is not accessible. This is only an optional step and you can skip through to the next if you feel it not necessary.
Backup Codes: These are the codes that can be used when you can't receive the verification code in your phone. You can print or download and keep it safe as a set of one-time usebackup verification codes for times when your phones are unavailable/lost, or when you are out of the mobile network coverage area, such as when you travel.
Note : If there arises a situation when you have used all the 5 codes generated as backup, you can again create a fresh set of backup codes from your Zoho Account settings.
D) Exempting specific users from TFA: Zoho Vault has the option to exempt specific users from TFA enforcement by disabling TFA for them from Admin >> User Management >> More Actions. When taken off this list, those users will no more be prompted for the second factor when signing in.
E) Resetting the TFA: In cases of users who have lost access to the mobile device they used at the time of their TFA activation, the administrator can select 'Reset TFA' under 'More Actions' so that the users can set up TFA again from the beginning, providing a new mobile number/Google Authenticator.
F) Disabling TFA for your organization: If you feel you do not need a second factor authentication for your users, you can revoke TFA enforcement anytime from Admin >> Two Factor Authentication >> Revoke TFA Enforcement. This will lift the overall control you enforced on your organization. But, any user who wants to keep using TFA for his/her account can continue to do so by configuring/modifying TFA option here