Multi-factor authentication is used as an extra layer of security
while signing in to your account. When you enable MFA, all your future
sign-ins will require you to verify your identity to ensure that your
account isn't accessed by unknown users. You can do this by enabling an
MFA mode for your account. For example, if you enable SMS-based OTP, an
OTP will be sent to your mobile number, which then needs to be entered
when you sign in, thus ensuring that your account stays protected.
Zoho provides four MFA modes to choose from:
OneAuth is an industry standard multi-factor authentication app built by Zoho. It offers the following features:
- MFA for multiple Zoho accounts
- Passwordless sign-in
- Mobile SSO
- OTP authenticator for non-Zoho accounts
- Easy backup and recovery
- SMS-based OTP
you set SMS-based OTP as your MFA mode, a short-lived, single-use
authentication code is sent to your mobile device as an SMS message,
which you can use to verify your identity during sign-in.
- OTP authenticator
OTP authenticator generates unique codes in fixed time intervals. When
you set an OTP authenticator as your MFA mode, you can use the OTP shown
in the authenticator app to verify your identity during sign-in.
YubiKey is a hardware device which can be inserted into your computer
or laptop. When you configure a YubiKey for your account and set it as
your MFA mode, you can insert it to verify your identity during sign-in.
MFA: Org-enforced vs. Self-configured
you are an organization admin, you can enforce MFA for all the users in
your organization. You can choose which modes need to be set up by the
users and enforce them. After such policies are enforced, the users will
be prompted to set up and sign in using MFA. Refer to your app's
documentation to learn how to enforce security policies.
you want to secure your personal Zoho account, you can enable one or
more of the available MFA modes for your account. Check out the respective help articles
to learn how to configure the different MFA modes. However, if you are a
part of an organization that enforces MFA-related security policies for
its users, you can only configure the modes that are allowed according
to the policy.
can configure multi-mode MFA by configuring at least two MFA modes for
your account. With multi-mode MFA, you will have the flexibility to
choose between different modes when you want to sign in to your account.
You can set one of the modes as the primary MFA mode
and it will be the default mode when you try to sign in. You can choose
the other modes to sign in if your primary mode is not currently
available. See how to sign in using multi-mode MFA
MFA and third party mail clients
you are using your Zoho account in any third-party mail clients, such
as Outlook or Thunderbird, you may encounter issues signing in to the
app if it doesn't support multi-factor authentication (this more often
results in an "incorrect password" error). This is because only entering
your username and password in your client will not allow you to sign in
as MFA verification cannot be done.
In such cases, you can generate application-specific passwords
in Zoho and use them to sign in to your mail client. These
application-specific passwords allow you to bypass MFA verification and
let you sign in to the client with just your username and this
you will need to verify your identity using your MFA mode every time
you sign in to your account. However, if you are signing in often from a
trusted computer (such as your personal computer), you can avoid
verifying through MFA by trusting your browser
By default, the MFA lifetime for a trusted browser (i.e., the duration
you won't be asked for MFA) is 180 days. However, if you are part of an
organization, your administrator may reduce the number of days or even
restrict trusting a browser altogether by enforcing security policies.
Backup codes to recover access
- How to disable/re-enable MFA?
- What are trusted browsers and how to enable them?