Mandatory workspace two-factor authentication

For an added layer of security, you can require your members and guests to use two-factor authentication (2FA) when they sign in to Slack.

How 2FA works

  • Members will get a verification code sent to their mobile device.
  • To sign, they'll enter their verification code along with their Slack password.
  • By default, people can choose between SMS text message and authentication app 2FA methods. On paid subscriptions, owners and admins can restrict this to prevent members from using SMS for 2FA.
  • On paid subscriptions, owners and admins must use 2FA when signing in to Slack, even if they haven’t enabled mandatory 2FA. For workspaces or orgs with SSO enabled, only owners and admins who are able to sign in via email and password and bypass SSO are required to set up 2FA.

Note: If you’re using single sign-on (SSO), 2FA should be set up through your identity provider.


Turn on mandatory 2FA

Free, Pro and Business+ subscriptions

Enterprise Grid subscription

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Workspace settings.
  3. Click on Authentication
  4. Next to Two-factor authentication for your workspace (2FA), click Expand.
  5. Click Enable 2FA for your workspace. If you like, click Require an authenticator app to prevent people from using SMS for 2FA.
  6. Click Activate two-factor authentication. Members will get an email and Slackbot message to help them to set up authentication. 

    People who don’t set up 2FA within 24 hours will be signed out of Slack and prompted to set up 2FA before they can sign in again. New members will be required to set up 2FA before creating an account and signing in to Slack.
  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Organisation settings.
  3. Select  Security from the left-hand sidebar, then click Security settings.
  4. To the right of Two-factor authentication for email sign-in click Enable
  5. If you like, click Require an authenticator app to prevent members from using SMS for 2FA.
  6. When you’re ready, click Enable. Members will get an email and a Slackbot message to help them to set up authentication.

    People who don’t set up 2FA within 24 hours will be signed out of Slack and prompted to set up 2FA before they can sign in again. New members will be required to set up 2FA before signing in to Slack.

Tip: Visit Set up two-factor authentication for step-by-step instructions on setting up 2FA for your account.

 

See who has 2FA set up

Free, Pro and Business+ subscriptions

Enterprise Grid subscription

Workspace owners and admins can see which members have 2FA set up:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage members.
  3. Select Filters in the top right.
  4. Below Authentication, tick the box next to Two-factor (2FA).

Workspace owners and admins of workspaces in an Enterprise Grid org can see which of their members have 2FA set up:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage members.
  3. Select Filters in the top right.
  4. Below Authentication, tick the box next to Two-factor (2FA).

Note: You can only see who has 2FA enabled at the workspace level at this time.

 

Restore access for locked-out members

Free, Pro and Business+ subscriptions

Enterprise Grid subscription

If a member gets locked out, workspace owners and admins can temporarily turn off 2FA for that person. On their next sign-in attempt, they'll be prompted to set up 2FA again. Here's how to turn off 2FA for a member:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage members.
  3. Click on the  three dots icon to the right of the member's name.
  4. Choose Disable 2FA.

Note: Only the workspace primary owner can turn off 2FA for workspace owners. Only workspace owners can turn off 2FA for workspace admins.

If a member gets locked out, org owners and admins can temporarily turn off 2FA for that person. On their next sign-in attempt, they'll be prompted to set up 2FA again. Here's how to turn off 2FA for a member:
  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage members.
  3. Click on the  three dots icon to the right of the member's name.
  4. Choose Disable 2FA.

 

Use 2FA with single sign-on

Pro and Business+ subscriptions

Enterprise Grid subscription

Workspace owners and admins can set up 2FA alongside SAML single sign-on (SSO). To do so, make sure to set up 2FA with your identity provider. If you're using Google authentication with Slack, set up two-step verification with Google. 

What to expect

  • Workspace owners must set up 2FA for themselves to keep their backup password secure. 
  • Guests must set up 2FA if they are not required to use SSO. 
  • On workspaces where SSO is optional, members can use SSO or their email address and password to sign in to Slack. These members will also be notified when workspace-wide 2FA is turned on.
  • 2FA in Slack will be turned off when a member connects or binds their SSO account.
In an Enterprise Grid org, org owners and admins can set up 2FA alongside SAML single sign-on. To do so, make sure to set up 2FA with your identity provider. If you're using Google authentication with Slack, set up two-step verification with Google.

What to expect

  • Org owners must set up 2FA for themselves to keep their backup password secure.
  • Members and guests must set up 2FA if they are not required to use SSO
Who can use this feature?