Security Policies - Configure MFA | Admin Guide - Zoho One

Configure MFA

Multi-factor authentication (MFA) adds an additional layer of security to your organization. When MFA is enabled, your users will have to verify their identity not only with their password, but also with a second factor. The second factor could be an authenticator app like  Zoho OneAuth, a hardware security key (YubiKey), or an SMS-based OTP.

When MFA is enabled for a user, they will not be able to sign in without setting up their preferred authentication mode and verifying themself. You can configure the list of MFA modes your users can choose from.

 In the mobile application: 

For iOS devices:

  1. Open the Zoho One app on your mobile device.
  2. Tap in the bottom right, then tap Security Policies.
  3. Tap the required security policy, then tap Multi-Factor Authentication.
  4. If your enabling MFA for the first time, tap the toggle bar to enable it. Select the required MFA modes.
  5. If the MFA is already applied, proceed to select the required MFA modes.
  6. Set MFA Lifetime and enable backup recovery codes if needed. MFA Lifetime refers to the duration for which users will not be enforced to use MFA after signing in from a trusted browser.
  7. Tap Save.
To disable an MFA policy:
  1. Open the Zoho One app on your mobile device.
  2. Tap in the bottom right, then tap Security Policies.
  3. Tap the required security policy, then tap Multi-Factor Authentication.
  4. Tap the toggle bar to disable MFA.
  5. Tap Update.

For Android devices:

  1. Open the Zoho One app on your mobile device.
  2. Tap in the bottom-right corner, then tap Security Policies.
  3. Tap on the required security policy, then check Multi-factor Authentication.
    1. If you are enabling MFA for the first time for that policy, tap the toggle bar to enable it. Select the required MFA modes.
    2. If MFA is already applied for that policy, then proceed to select the required MFA modes.
  4. Set MFA lifetime and enable the option for users to use backup recovery codes if needed. MFA Lifetime refers to the duration for which users will not be enforced to use MFA after signing in from a trusted browser.
  5. Tap in the top-right corner.
To disable an MFA policy:
  1. Open the Zoho One app on your mobile device.
  2. Tap in the bottom-right corner, then tap Security Policies.
  3. Tap on the required security policy, then uncheck Multi-factor Authentication.
  4. Enter your password, then tap Disable

In the web application:

  1. Sign in to Zoho One  open in new tab icon , then click Directory in the left menu.
  2. Go to  Security , click  Security Policies , then click on the policy you want to configure.
  3. Go to Multi-factor Authentication , then click Setup .
  4. Select the authentication modes that you want your users to choose from. The available authentication modes are:

    OneAuth
    		 Users will have to sign in using OneAuth. If Enforce Face ID/Touch ID is enabled, users will need to configure their biometrics in OneAuth to sign in. If Allow Passwordless Sign-in is enabled, users can sign in through push notifications, time-based OTPs generated in OneAuth, or by scanning the QR code.
    OTP authenticator
    		 Users will have to sign in using an authenticator app. A time-based OTP (TOTP) will be generated, which needs to be entered when signing in. OneAuth provides this option for your Zoho account as well as third-party accounts.
    YubiKey
    		 Users will have to connect their YubiKey hardware authenticator to the device they're trying to sign in from, and verify themselves.

  5. Set MFA Lifetime and enable backup recovery codes if needed. MFA Lifetime refers to the duration for which users will not be enforced to use MFA after signing in from a trusted browser. 
  6. Click Update Policy.
To remove an MFA policy:
  1. Sign in to Zoho One   , then click Admin Panel in the left menu.
  2. Go to Security , then click Security Policies.
  3. Click on the policy for which you want to remove MFA.
  4. Go to Multi-factor Authentication , scroll down and click Remove MFA.
    5. Notes  Note: Policy priority changes when a policy is removed. 
  5. Enter your password, then click Yes, Remove.
    6. Notes Note: If an MFA policy is removed, the next policy having the top priority will be applied to the user. If there is only one remaining policy, then the default policy will hold good for the user.