Note: This additional verification won't be asked every time and is not the same as multi-factor authentication (MFA). We will ask you to verify only when we detect the sign-in attempt to be unusual. Also, for MFA-enabled accounts, this verification won't be prompted. Read below to learn more.Most users use only a password to sign in to their accounts, which provides only a weak form of account security. Users also tend to reuse the same password across multiple apps. As per a
survey conducted in 2019, 65% of the users reuse their password for multiple accounts.
Coupled with this weakness, passwords are also susceptible to getting exposed due to the growing number of
data breaches, which in turn can lead to one's account getting compromised. The technique in which an attacker can use an exposed password (found in data breaches) and use it to gain access to users' accounts is called "
credential stuffing". It is different from "brute-force attacks", where the attacker won't know the exact password, but have to guess and repeat entering different passwords in an automated manner. In credential stuffing, the attacker will have the actual list of credentials to try out.
For example, consider that a user John is using the same password for their Zoho account and for another app ABC. If ABC encounters a password breach, an attacker can obtain this exposed password and use it to sign in to John's Zoho account through credential stuffing.
To avoid this from happening, we will ask for additional verification whenever we find a sign-in attempt to be unusual. What makes a sign-in attempt unusual depends on certain factors, including the location and the device the user is signing in from. Since this additional verification requires the user to have access to their email inbox or device, an attacker will not be able to do this verification and gain access to the account.
What options are available to complete this verification?
The available options depend on the recovery options you've configured for your account. Totally, there are three options:
- Verify using email address - You will need to enter an OTP sent to your email address.
- Verify using mobile number - You will need to enter an OTP sent to your mobile number.
- Verify using recovery device - A number will be shown on the sign-in page. You will need to tap this number on the push notification sent to your OneAuth-installed recovery device.
Info: If you've only signed in to Zoho OneAuth, but haven't configured MFA yet, it is considered as a recovery device.
What if you are unable to complete the verification?
If you're part of an organization as a user:
- Contact your administrator to get a backup verification code. (If you're an administrator, you can generate backup code for a user from Zoho Directory.)
- After getting the backup code, click View all options in the sign-in page where you're being asked additional verification.
- Click Problem signing in?.
- Select the option Use backup verification code.
- Enter the code you got from your administrator, then click Verify.
If you're the administrator of your organization (or) If you're a personal user and not part of any organization:
Please contact us at
support@zohoaccounts.com.
After verifying your identity, we will provide a backup verification
code for you to sign in to your account.
Please note that if any further
sign-in attempt seems unusual, this verification will still be asked.
How to avoid this additional verification?
This verification will be asked only for Zoho accounts that are being signed-in using just a password. If you enable multi-factor authentication (MFA) for your account, we won't ask for this verification, as MFA itself would take care of your account's security.