Securing Your Account: Essential Steps for MFA Backup Codes and Secondary Access

Securing Your Account: Essential Steps for MFA Backup Codes and Secondary Access

We highly recommend enabling Multi-Factor Authentication (MFA)—also known as Two-Factor Authentication (2FA)—to keep your account secure. While MFA provides excellent protection against unauthorised access, it can also lock you out of your own account if you lose your mobile phone or authenticator device.

To ensure you never lose access to your work, you must complete two vital steps upon enabling MFA: saving your backup codes and setting up a secondary authentication method.

Warning
If you already lost access to your device for MFA, the below cannot be executed and your MFA will need to be reset by your system administrator, or in case your companies domain has not yet been authenticated, by the Zoho Accounts team, and there will be delay in this. If you are using an email address provided by a general provider (i.e. Hotmail/Outlook, Gmail, Protonmail, iCloud), then the system administrator cannot reset your MFA and it must be escalated to the Zoho Accounts team. 

1. Download and Secure Your Backup Codes

When you configure MFA, the system will provide a list of single-use backup codes. These codes are your ultimate safety net; if your phone goes missing or breaks, entering one of these codes will allow you to bypass the standard authentication prompt and get back into your account.

  • Download immediately: You must generate and download these codes the moment you enable MFA.

  • Store securely: Print them out and keep them in a locked drawer, or save them in a secure, third-party password manager.

  • The Golden Rule: Do NOT store your backup codes in Zoho WorkDrive. If you are locked out of your account, you will also be locked out of WorkDrive, making it impossible to retrieve the codes when you need them most.

2. Set Up a Secondary Authentication Method

In addition to downloading backup codes, you must configure a secondary option for receiving your Time-based One-Time Passcode (TOTP). This gives you an alternative, digital way to verify your identity if your primary authenticator app is unavailable.

You can set up either of the following as your secondary method:

  • Mobile Phone Number: Have your TOTP sent via an SMS text message.

  • External Email Address: Have your TOTP sent to a secondary email inbox.

Crucial Email Restriction: If you choose the email route, do NOT use an email address hosted on Zoho Mail. If your account is locked, your Zoho Mail inbox will also be inaccessible. You must use an external, independent email provider (such as a personal Gmail, Outlook, or Yahoo account) to ensure you can actually receive the passcode.

Quick Reference: MFA Dos and Don'ts

FeatureDoDon't
Storing Backup CodesKeep them in a physical safe or an external password manager.Save them anywhere inside Zoho WorkDrive.
Secondary TOTP EmailUse an external, independent email address (e.g., Gmail).Use an email address hosted on Zoho Mail.

Taking a few minutes to configure these safeguards today will save you a massive headache if you ever lose your primary authentication device.


To download your Multi Factor Authentication, follow these steps:

  1. Navigate to https://accounts.zoho.com/home#multiTFA/recovery
  2. Enter your mobile phone number - especially if your mail is hosted on Zoho Mail

  3. Navigate to https://accounts.zoho.com/home#multiTFA/recovery
  4. Download your backup codes - and keep them safe (and not in any Zoho application, such as Vault, Notebook, or WorkDrive)
A passphrase is recommended, and can be set in the OneAuth application itself. This is the master password for the MFA account in OneAuth, and does not work for any other authentication options.