Why am I being asked for additional verification during sign-in?
Note: This additional verification won't be asked every time and is not the same as multi-factor authentication (MFA). We will ask you to verify only when we detect the sign-in attempt to be unusual. Also, for MFA-enabled accounts, this verification won't be prompted. Read below to learn more.Most users use only a password to sign in to their accounts, which provides only a weak form of account security. Users also tend to reuse the same password across multiple apps. As per a survey conducted in 2019, 65% of the users reuse their password for multiple accounts.
Coupled with this weakness, passwords are also susceptible to getting exposed due to the growing number of data breaches, which in turn can lead to one's account getting compromised. The technique in which an attacker can use an exposed password (found in data breaches) and use it to gain access to users' accounts is called "credential stuffing". It is different from "brute-force attacks", where the attacker won't know the exact password, but have to guess and repeat entering different passwords in an automated manner. In credential stuffing, the attacker will have the actual list of credentials to try out.
For example, consider that a user John is using the same password for their Zoho account and for another app ABC. If ABC encounters a password breach, an attacker can obtain this exposed password and use it to sign in to John's Zoho account through credential stuffing.
To avoid this from happening, we currently ask for additional verification whenever we detect a sign-in attempt from an unusual location. Since this additional verification requires the user to have access to their email inbox or registered device, an attacker will not be able to do this verification and gain access to the account.
What options are available to complete this verification?
The available options depend on the recovery options you've configured for your account. Totally, there are three options:
Verify using email address or mobile number
A One-Time Password (OTP) will be sent to your email address or mobile number. You need to enter it to verify yourself.
Verify using recovery device
A number will be shown on the sign-in page. You will need to tap this number on the push notification sent to your OneAuth-installed recovery device.
If you've only signed in to Zoho OneAuth, but haven't configured MFA yet, it is considered as a recovery device.
Verify using Domains
- Click Verify using Domains, a set of instruction will be shown.
- Go through the instruction and click Continue.
- You will be required to select a domain to verify, select the one you want if you have more than one.
- Enter the full domain name, then click Next.
- Select one of the methods shown to prove domain ownership. The options are:
- Add a TXT record in your domain host.
- Add a CNAME record in your domain host.
- Upload a HTML file to the root directory of your website.
- Enter an email address to which you want to receive further instructions on how to prove domain ownership, then click Send Instructions.
- Follow the instructions in the email sent.
- Click the link in the email, once you have done everything in the instructions
- We will validate if the DNS record/HTML file is added.
- If it is added, a success message will be shown. You can continue with changing your password.
- If it is not added, an error message will be shown. It is possible that the record you’ve added hasn’t been propagated to all the DNS servers yet, as it depends on the TTL value. Wait for some time, then try refreshing the page.
- Enter your password to sign in.
What if you are unable to complete the verification?
If you're part of an organization as a user:
- Contact your administrator to get a backup verification code. (If you're an administrator, you can generate backup code for a user from Zoho Directory.)
- After getting the backup code, click View all options in the sign-in page where you're being asked additional verification.
- Click Problem signing in?.
- Select the option Use backup verification code.
- Enter the code you got from your administrator, then click Verify.
If you're the administrator of your organization (or) If you're a personal user and not part of any organization:
Please contact us at support@zohoaccounts.com.
After verifying your identity, we will provide a backup verification
code for you to sign in to your account.
Please note that if any further
sign-in attempt seems unusual, this verification will still be asked.
How to avoid this additional verification?
This verification will be asked only for Zoho accounts that are being signed-in using just a password. If you enable multi-factor authentication (MFA) for your account, we won't ask for this verification, as MFA itself would take care of your account's security.
We recommend enabling MFA using our authenticator app–Zoho OneAuth. Aside from heightened security, it also provides swift sign-in options such as Smart QR sign-in and passwordless sign-in.
If you have any queries or encounter any issue, please write to us at support@zohoaccounts.com.
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho Writer?
Create. Review. Publish.
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Sign-in modes
Zoho offers various modes to sign in to your Zoho account, from the conventional method of signing in using only a password to the more secure method of signing in without using a password at all (passwordless sign-in). You can choose your preferred ...Sign in using passkey
What is a passkey Passkey is based on the FIDO multi-device credentials technology and essentially aims to replace traditional passwords altogether. At Zoho, we've also implemented this technology and offer you the option to secure your account using ...Troubleshoot sign-in related issues
Please select the issue you have while signing in to your account: Getting an error when trying to sign in Having issues with multi-factor authentication (MFA) and couldn't access the account Having issues connecting to mail client Forgot the account ...Smart Sign-in using OneAuth
Smart Sign-in is a secure and seamless way to sign in to your Zoho account by scanning a QR code using Zoho's Authenticator app, OneAuth. You need not type in your username or password manually. Prerequisites You need OneAuth installed on your mobile ...Federated Sign-in
Federated Sign-in allows you to access your Zoho account using third-party services. You can create your Zoho account using your third-party account credentials, and also use them to sign in. The following services are supported by Zoho for signing ...
New to Zoho LandingPage?
Zoho LandingPage Resources