Securing Your Account: Essential Steps for MFA Backup Codes and Secondary Access

Securing Your Account: Essential Steps for MFA Backup Codes and Secondary Access

We highly recommend enabling Multi-Factor Authentication (MFA)—also known as Two-Factor Authentication (2FA)—to keep your account secure. While MFA provides excellent protection against unauthorised access, it can also lock you out of your own account if you lose your mobile phone or authenticator device.

To ensure you never lose access to your work, you must complete two vital steps upon enabling MFA: saving your backup codes and setting up a secondary authentication method.

Warning
If you already lost access to your device for MFA, the below cannot be executed and your MFA will need to be reset by your system administrator, or in case your companies domain has not yet been authenticated, by the Zoho Accounts team, and there will be delay in this. If you are using an email address provided by a general provider (i.e. Hotmail/Outlook, Gmail, Protonmail, iCloud), then the system administrator cannot reset your MFA and it must be escalated to the Zoho Accounts team. 

1. Download and Secure Your Backup Codes

When you configure MFA, the system will provide a list of single-use backup codes. These codes are your ultimate safety net; if your phone goes missing or breaks, entering one of these codes will allow you to bypass the standard authentication prompt and get back into your account.

  • Download immediately: You must generate and download these codes the moment you enable MFA.

  • Store securely: Print them out and keep them in a locked drawer, or save them in a secure, third-party password manager.

  • The Golden Rule: Do NOT store your backup codes in Zoho WorkDrive. If you are locked out of your account, you will also be locked out of WorkDrive, making it impossible to retrieve the codes when you need them most.

2. Set Up a Secondary Authentication Method

In addition to downloading backup codes, you must configure a secondary option for receiving your Time-based One-Time Passcode (TOTP). This gives you an alternative, digital way to verify your identity if your primary authenticator app is unavailable.

You can set up either of the following as your secondary method:

  • Mobile Phone Number: Have your TOTP sent via an SMS text message.

  • External Email Address: Have your TOTP sent to a secondary email inbox.

Crucial Email Restriction: If you choose the email route, do NOT use an email address hosted on Zoho Mail. If your account is locked, your Zoho Mail inbox will also be inaccessible. You must use an external, independent email provider (such as a personal Gmail, Outlook, or Yahoo account) to ensure you can actually receive the passcode.

Quick Reference: MFA Dos and Don'ts

FeatureDoDon't
Storing Backup CodesKeep them in a physical safe or an external password manager.Save them anywhere inside Zoho WorkDrive.
Secondary TOTP EmailUse an external, independent email address (e.g., Gmail).Use an email address hosted on Zoho Mail.

Taking a few minutes to configure these safeguards today will save you a massive headache if you ever lose your primary authentication device.


To download your Multi Factor Authentication, follow these steps:

  1. Navigate to https://accounts.zoho.com/home#multiTFA/recovery
  2. Enter your mobile phone number - especially if your mail is hosted on Zoho Mail

  3. Navigate to https://accounts.zoho.com/home#multiTFA/recovery
  4. Download your backup codes - and keep them safe (and not in any Zoho application, such as Vault, Notebook, or WorkDrive)
A passphrase is recommended, and can be set in the OneAuth application itself. This is the master password for the MFA account in OneAuth, and does not work for any other authentication options.


    • Related Articles

    • Steps to take in CRM when an employee leaves the organisation

      When an employee leaves the business, you wish to retain all the details of the email trail between your contacts and this employee. Therefore - before deactivating the employee in your system, change the email integration setup from IMAP to POP. You ...

    • How to Change your Primary Zoho Login Email Address

      Updating your primary login email in Zoho is a straightforward process, but it is important to do it correctly to ensure you don't lose access to your Zoho account. This guide is for users who need to update their own login credentials—for example, ...

    • Zoho Vault account remains on Account Creation Pending - even after master password has been set

      When the Zoho Vault account is stuck on Pending Account Creation for a user, the sharing handshake is not initiated. This can be resolved by manually initiate the sharing request. Note that this can only be done in the old UI (see below).  Open a new ...

    • Changing the "owner" of the Zoho One account

      In Zoho One, there an "owner" of the account - this is by default the person that set up the Zoho Instance (started the subscription). If you need to change the owner, as for example, the person originally signing up has moved on, then follow these ...

    • Cannot add a Zoho One user to Zoho Sign - account already exists

      If you are adding a user to Zoho Sign from the Zoho One Admin panel, you may get the message that the user already has an account in Zoho Sign. It is likely the user has signed up for a Trial with Zoho Sign. It is not possible to have more than one ...