Mandatory workspace two-factor authentication

For an added layer of security, you can require your members and guests to use two-factor authentication (2FA) when they sign in to Slack.

How 2FA works

  • Members will get a verification code sent to their mobile device.
  • To sign, they'll enter their verification code along with their Slack password.
  • By default, people can choose between SMS text message and authentication app 2FA methods. On paid plans owners and admins can restrict this to prevent members from using SMS for 2FA.
  • On paid plans, owners and admins must use 2FA when signing in to Slack, even if they haven’t enabled mandatory 2FA. For workspaces or orgs with SSO enabled, only owners and admins who are able to sign in via email and password and bypass SSO are required to set up 2FA.

Note: If you're using single sign-on (SSO), 2FA should be set up through your identity provider.


Turn on mandatory 2FA

Free, Pro, and Business+ plans

Enterprise Grid plan

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Workspace settings.
  3. Click Authentication
  4. Next to Two-factor authentication for your workspace (2FA), click Expand.
  5. Click Enable 2FA for your workspace. If you’d like, click Require an authenticator app to prevent people from using SMS for 2FA.
  6. Click Activate two-factor authentication. Members will get an email and Slackbot message to help them get set up. 

    People who don't set up 2FA within 24 hours will be signed out of Slack and prompted to set up 2FA before they can sign in again. New members will be required to set up 2FA before creating an account and signing in to Slack.
  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Organization settings.
  3. Select  Security from the left sidebar, then click Security settings.
  4. To the right of Two-factor authentication for email sign-in click Enable
  5. If you'd like, click Require an authenticator app to prevent members from using SMS for 2FA.
  6. When you’re ready, click Enable. Members will get an email and a Slackbot message to help them to get set up.

    People who don't set up 2FA within 24 hours will be signed out of Slack and prompted to set up 2FA before they can sign in again. New members will be required to set up 2FA before signing in to Slack.

Tip: Visit Set up two-factor authentication for step-by-step instructions on setting up 2FA for your account.

 

See who has 2FA set up

Free, Pro, and Business+ plans

Enterprise Grid plan

Workspace Owners and Admins can see which members have 2FA set up:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage members.
  3. Select Filters in the top right.
  4. Below Authentication, check the box next to Two-factor (2FA).

Workspace Owners and Admins of workspaces in an Enterprise Grid org can see which of their members have 2FA set up:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage members.
  3. Select Filters in the top right.
  4. Below Authentication, check the box next to Two-factor (2FA).

Note: You can only see who has 2FA enabled at the workspace level at this time.

 

Restore access for locked-out members

Free, Pro, and Business+ plans

Enterprise Grid plan

If a member gets locked out, Workspace Owners and Admins can temporarily turn off 2FA for that person. On their next sign-in attempt, they'll be prompted to set up 2FA again. Here's how to turn off 2FA for a member:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage members.
  3. Click the  three dots icon to the right of the member's name.
  4. Choose Disable 2FA.

Note: Only the Workspace Primary Owner can turn off 2FA for Workspace Owners. Only Workspace Owners can turn off 2FA for Workspace Admins.

If a member gets locked out, Org Owners and Admins can temporarily turn off 2FA for that person. On their next sign-in attempt, they'll be prompted to set up 2FA again. Here's how to turn off 2FA for a member:
  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage members.
  3. Click the  three dots icon to the right of the member's name.
  4. Choose Disable 2FA.

 

Use 2FA with single sign-on

Pro and Business+ plans

Enterprise Grid plan

Workspace Owners and Admins can set up 2FA alongside SAML single sign-on (SSO). To do so, make sure to set up 2FA with your identity provider. If you're using Google authentication with Slack, set up two-step verification with Google. 

What to expect

  • Workspace Owners must set up 2FA for themselves to keep their backup password secure. 
  • Guests must set up 2FA if they are not required to use SSO. 
  • On workspaces where SSO is optional, members can use SSO or their email address and password to sign in to Slack. These members will also be notified when workspace-wide 2FA is turned on.
  • 2FA in Slack will be turned off when a member connects, or binds, their SSO account.
In an Enterprise Grid org, Org Owners and Admins can set up 2FA alongside SAML single sign-on. To do so, make sure to set up 2FA with your identity provider. If you're using Google authentication with Slack, set up two-step verification with Google.

What to expect

  • Org Owners must set up 2FA for themselves to keep their backup password secure.
  • Members and Guests must set up 2FA if they are not required to use SSO
Who can use this feature?
  • Workspace Owners/Admins and Org Owners/Admins
  • Available on all plans