Skip to main content

Two-factor authentication

Zuora

Two-factor authentication

Traditional user authentication consists of a general username and password. This provides minimal security since passwords may be easy to guess and users tend to re-use the same password across multiple accounts.

Two-factor authentication (2FA) is a system that uses two different forms of user authentication, which provides a higher level of authentication that consists of the following:

  1. A user-selected password
  2. A randomly generated code delivered to a mobile device through SMS or an authentication application

Users must enter the code within a certain timeframe for successful authentication.

Prerequisites

You must have one of the following to use two-factor authentication:

  • SMS enabled mobile phone
  • Authentication application for mobile phone or tablet

Recommended authentication applications

Zuora recommends the following authentication applications:

Authentication application Tested by Zuora Supported by Zuora

Google Authenticator

https://support.google.com/accounts/answer/1066447?hl=en

Yes Yes

Duo Mobile

http://guide.duosecurity.com/third-party-accounts

Yes Yes

Amazon AWS MFA (Android only)

https://aws.amazon.com/iam/details/mfa/

Yes Yes

Microsoft Authenticator

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to

No No

Setup and challenge

To log in all UI users, the Zuora administrator need to complete the following steps:

  • Authentication setup
  • Re-authentication

Users have the option of receiving the authentication code in two ways:

  • SMS
  • Authentication application

The following cases require re-authentication:

  • User logs in to Zuora UI after the Remember me for 30 days period has expired.
  • User logs in from another machine or browser where the Remember me for 30 days option has not been enabled.

SMS setup

  1. Log in to the Zuora application. You will be prompted to set up two-factor authentication.
  2. Click continue.
  3. Select Use text messages and click next. You will be prompted to enter your mobile number. 
  4. Select the appropriate country code and enter your mobile number. 
  5. Click next. You will be sent an authentication code.
  6. Retrieve the most recent authentication code sent by Zuora. The authentication code expires within 5 minutes of receiving it. 
  7. Enter the authentication code. If the authorization code is not entered within 5 minutes of receipt, you will have to request for a new one to be sent.
    If your authorization code expired or you did not receive one, click Didn't receive a code? to receive a new authentication code.  If you enter the wrong code, you will receive an error message and will be asked to re-enter the authentication code.
  8. If you don't want to be prompted to enter another code on that particular machine and browser for 30 days, select the Remember me for 30 days checkbox. If you sign in to Zuora from various machines or browsers, you will have to set up 2FA for every machine or browser.

    If you set up two-factor authentication on a trusted machine and safe browser, that you use to access Zuora regularly, Zuora recommends enabling Remember me for 30 days. If you access Zuora on a public machine or unsafe browser, Zuora does not recommend enabling Remember me for 30 days.

  9. Click next. After you've entered the correct authentication code, a success message will be displayed.

Re-authentication using SMS

You can retrieve the authentication code from the most recent SMS from Zuora.

Authentication application setup 

  1. Log in to the Zuora application. You will see a screen informing that you have been enabled for two-factor authentication.
  2. Click continue.
  3. Select Use a mobile app. You will be prompted to scan a QR code.
  4. Scan the code, using your preferred authentication application on your mobile phone or tablet.
  5. Click next.
  6. Enter the authentication code generated by your application.
  7. If you don't want to be prompted to enter another code on that particular machine and browser for 30 days, select the Remember me for 30 days checkbox. If you sign in to Zuora from various machines or browsers, you must set up 2FA for every machine or browser.

    If you set up Two-factor authentication on a trusted machine and safe browser, that you use to access Zuora regularly, Zuora recommends enabling Remember me for 30 days. If you access Zuora on a public machine or unsafe browser, Zuora does not recommend enabling Remember me for 30 days.

  8. Click next. After you've entered the correct authentication code, a success message will be displayed.

Re-authentication using authentication application 

You can retrieve the latest code generated by the authentication application by Zuora.

Reset two-factor authentication

You can disable or reset two-factor authentication for a tenant or specific user.

If an individual user loses their phone or their phone crashes, they will not be able to use two-factor authentication. If this occurs, you can disable 2FA access for a specific user in Administration > Manage Users

If you disable two-factor authentication for a tenant or a specific user level, all user tenants or specific users will only have to enter their Zuora username and password when logging in to Zuora.

When two-factor authentication is re-enabled,  all user tenants or specific users have to set up 2FA from the beginning.

If you are a Zuora administrator and you lose your phone,  contact Zuora Support to disable or enable two-factor authentication. Zuora recommends having at least two Zuora administrators, in case one loses their phone.

Disable two-factor authentication

Two-factor authentication can be disabled on a tenant level. By default, 2FA is enabled. 

If you choose to disable two-factor authentication, the customer acknowledges the risks of such action and accepts responsibility for any data loss or potential compromise of tenant user accounts that use a single-factor of authentication.

  1. Navigate to Administration > Security Policies.
  2. Click edit.
  3. Disable Two-Factor Authentication.
  4. Click save.