Two-factor authentication
Traditional user authentication consists of a general username and password. This provides minimal security since passwords may be easy to guess and users tend to re-use the same password across multiple accounts.
Two-factor authentication (2FA) is a system that uses two different forms of user authentication, which provides a higher level of authentication that consists of the following:
- A user-selected password
- A randomly generated code delivered to a mobile device through SMS or an authentication application
Users must enter the code within a certain timeframe for successful authentication.
Prerequisites
You must have one of the following to use two-factor authentication:
- SMS enabled mobile phone
- Authentication application for mobile phone or tablet
Recommended authentication applications
Zuora recommends the following authentication applications:
| Authentication application | Tested by Zuora | Supported by Zuora |
|---|---|---|
|
Google Authenticator |
Yes | Yes |
|
Duo Mobile |
Yes | Yes |
|
Amazon AWS MFA (Android only) |
Yes | Yes |
|
Microsoft Authenticator |
No | No |
Setup and challenge
To log in all UI users, the Zuora administrator need to complete the following steps:
- Authentication setup
- Re-authentication
Users have the option of receiving the authentication code in two ways:
- SMS
- Authentication application
The following cases require re-authentication:
- User logs in to Zuora UI after the Remember me for 30 days period has expired.
- User logs in from another machine or browser where the Remember me for 30 days option has not been enabled.
SMS setup
- Log in to the Zuora application. You will be prompted to set up two-factor authentication.
- Click continue.
- Select Use text messages and click next. You will be prompted to enter your mobile number.
- Select the appropriate country code and enter your mobile number.
- Click next. You will be sent an authentication code.
- Retrieve the most recent authentication code sent by Zuora. The authentication code expires within 5 minutes of receiving it.
- Enter the authentication code. If the authorization code is not entered within 5 minutes of receipt, you will have to request for a new one to be sent.
If your authorization code expired or you did not receive one, click Didn't receive a code? to receive a new authentication code. If you enter the wrong code, you will receive an error message and will be asked to re-enter the authentication code.
- If you don't want to be prompted to enter another code on that particular machine and browser for 30 days, select the Remember me for 30 days checkbox. If you sign in to Zuora from various machines or browsers, you will have to set up 2FA for every machine or browser.
If you set up two-factor authentication on a trusted machine and safe browser, that you use to access Zuora regularly, Zuora recommends enabling Remember me for 30 days. If you access Zuora on a public machine or unsafe browser, Zuora does not recommend enabling Remember me for 30 days.
- Click next. After you've entered the correct authentication code, a success message will be displayed.
Re-authentication using SMS
You can retrieve the authentication code from the most recent SMS from Zuora.
Authentication application setup
- Log in to the Zuora application. You will see a screen informing that you have been enabled for two-factor authentication.
- Click continue.
- Select Use a mobile app. You will be prompted to scan a QR code.
- Scan the code, using your preferred authentication application on your mobile phone or tablet.
- Click next.
- Enter the authentication code generated by your application.
- If you don't want to be prompted to enter another code on that particular machine and browser for 30 days, select the Remember me for 30 days checkbox. If you sign in to Zuora from various machines or browsers, you must set up 2FA for every machine or browser.
If you set up Two-factor authentication on a trusted machine and safe browser, that you use to access Zuora regularly, Zuora recommends enabling Remember me for 30 days. If you access Zuora on a public machine or unsafe browser, Zuora does not recommend enabling Remember me for 30 days.
- Click next. After you've entered the correct authentication code, a success message will be displayed.
Re-authentication using authentication application
You can retrieve the latest code generated by the authentication application by Zuora.
Reset two-factor authentication
You can disable or reset two-factor authentication for a tenant or specific user.
If an individual user loses their phone or their phone crashes, they will not be able to use two-factor authentication. If this occurs, you can disable 2FA access for a specific user in Administration > Manage Users.
If you disable two-factor authentication for a tenant or a specific user level, all user tenants or specific users will only have to enter their Zuora username and password when logging in to Zuora.
When two-factor authentication is re-enabled, all user tenants or specific users have to set up 2FA from the beginning.
If you are a Zuora administrator and you lose your phone, contact Zuora Support to disable or enable two-factor authentication. Zuora recommends having at least two Zuora administrators, in case one loses their phone.
Disable two-factor authentication
Two-factor authentication can be disabled on a tenant level. By default, 2FA is enabled.
If you choose to disable two-factor authentication, the customer acknowledges the risks of such action and accepts responsibility for any data loss or potential compromise of tenant user accounts that use a single-factor of authentication.
- Navigate to Administration > Security Policies.
- Click edit.
- Disable Two-Factor Authentication.
- Click save.