Why am I being asked for additional verification during sign-in?
This security measure is already enabled for users in the following data centers: Europe, Australia, China, and Japan.
It is soon to be enabled in the following data centers: India (by August 1st week) and United States (by middle of August).
Note: This additional verification won't be asked every time and is not the same as multi-factor authentication (MFA). We will ask you to verify only when we detect the sign-in attempt to be unusual. Also, for MFA-enabled accounts, this verification won't be prompted. Read below to learn more.Most users use only a password to sign in to their accounts, which provides only a weak form of account security. Users also tend to reuse the same password across multiple apps. As per a survey conducted in 2019, 65% of the users reuse their password for multiple accounts.
Coupled with this weakness, passwords are also susceptible to getting exposed due to the growing number of data breaches, which in turn can lead to one's account getting compromised. The technique in which an attacker can use an exposed password (found in data breaches) and use it to gain access to users' accounts is called "credential stuffing". It is different from "brute-force attacks", where the attacker won't know the exact password, but have to guess and repeat entering different passwords in an automated manner. In credential stuffing, the attacker will have the actual list of credentials to try out.
For example, consider that a user John is using the same password for their Zoho account and for another app ABC. If ABC encounters a password breach, an attacker can obtain this exposed password and use it to sign in to John's Zoho account through credential stuffing.
To avoid this from happening, we will ask for additional verification whenever we find a sign-in attempt to be unusual. What makes a sign-in attempt unusual depends on certain factors, including the location and the device the user is signing in from. Since this additional verification requires the user to have access to their email inbox or device, an attacker will not be able to do this verification and gain access to the account.
What options are available to complete this verification?
The available options depend on the recovery options you've configured for your account. Totally, there are three options:
- Verify using email address - You will need to enter an OTP sent to your email address.
- Verify using mobile number - You will need to enter an OTP sent to your mobile number.
- Verify using recovery device - A number will be shown on the sign-in page. You will need to tap this number on the push notification sent to your OneAuth-installed recovery device.
Info: If you've only signed in to Zoho OneAuth, but haven't configured MFA yet, it is considered as a recovery device.
How to avoid this additional verification?
This verification will be asked only for Zoho accounts that are being signed-in using just a password. If you enable multi-factor authentication (MFA) for your account, we won't ask for this verification, as MFA itself would take care of your account's security.
We recommend enabling MFA using our authenticator app–Zoho OneAuth. Aside from heightened security, it also provides swift sign-in options such as Smart QR sign-in and passwordless sign-in.
If you have any queries or encounter any issue, please write to us at support@zohoaccounts.com.
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
Still can't find what you're looking for?
Write to us: support@zohoforms.com
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Bigin?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
Related Articles
Sign-in modes
Zoho offers various modes to sign in to your Zoho account, from the conventional method of signing in using only a password to the more secure method of signing in without using a password at all (passwordless sign-in). You can choose your preferred ...Sign in using passkey
What is a passkey A passkey is a credential similar to a password that you can use to sign in to your account. However, you don't have to set a passkey manually and remember it. Your mobile device will take care of generating the passkey, storing it ...Troubleshoot sign-in related issues
Please select the issue you have while signing in to your account: Getting an error when trying to sign in Having issues with multi-factor authentication (MFA) and couldn't access the account Having issues connecting to mail client Forgot the account ...Passwordless Sign-in
Our OneAuth's passwordless sign-in mode offers you a secure and seamless way to sign in to your Zoho account. It's a form of multi-factor authentication (MFA) where you don't need to enter your password to sign in. Regular MFA sign-in: Username ----> ...Alternate Verification
There maybe times where your network is poor and you're unable to scan the QR code or receive push notifications from OneAuth. In that case OneAuth's alternate verification allows you to switch between other sign-in modes such as TOTP or scan QR for ...