Security Policies - Configure MFA | Admin Guide - Zoho One

Configure MFA

Multi-factor authentication (MFA) adds an additional layer of security to your organization. When MFA is enabled, your users will have to verify their identity not only with their password, but also with a second factor. The second factor could be an authenticator app like  Zoho OneAuth, a hardware security key (YubiKey), or an SMS-based OTP.

When MFA is enabled for a user, they will not be able to sign in without setting up their preferred authentication mode and verifying themself. You can configure the list of MFA modes your users can choose from. 

In the web application:

  1. Sign in to Zoho One , then click Directory in the left menu.
  2. Go to  Security , click  Security Policies , then click on the policy you want to configure.
  3. Go to Multi-factor Authentication , then click Setup .
  4. Select the authentication modes that you want your users to choose from. The available authentication modes are:

    OneAuth
    Users will have to sign in using OneAuth. If Enforce Face ID/Touch ID is enabled, users will need to configure their biometrics in OneAuth to sign in. If Allow Passwordless Sign-in is enabled, users can sign in through push notifications, time-based OTPs generated in OneAuth, or by scanning the QR code.
    OTP authenticator
    Users will have to sign in using an authenticator app. A time-based OTP (TOTP) will be generated, which needs to be entered when signing in. OneAuth provides this option for your Zoho account as well as third-party accounts.
    YubiKey
    Users will have to connect their YubiKey hardware authenticator to the device they're trying to sign in from, and verify themselves.

  5. Set MFA Lifetime and enable backup recovery codes if needed. MFA Lifetime refers to the duration for which users will not be enforced to use MFA after signing in from a trusted browser. 
  6. Click Update Policy.
To remove an MFA policy:
  1. Sign in to Zoho One, then click Admin Panel in the left menu.
  2. Go to Security , then click Security Policies.
  3. Click on the policy for which you want to remove MFA.
  4. Go to Multi-factor Authentication , scroll down and click Remove MFA.
  5. NotesPolicy priority changes when a policy is removed. 
  6. Enter your password, then click Yes, Remove.
  7. NotesIf an MFA policy is removed, the next policy having the top priority will be applied to the user. If there is only one remaining policy, then the default policy will hold good for the user.