Mandatory workspace two-factor authentication

For an added layer of security, you can require your members to use two-factor authentication (2FA) when they sign in to Slack. 

How 2FA works

  • Members will get a verification code sent to their mobile device.
  • To sign in, they’ll enter their verification code along with their password.
  • Members will need access to their mobile device each time they sign in.

Note: Mandatory 2FA is not available if members are required to use single sign-on.


Turn on mandatory 2FA

Free, Standard and Plus subscriptions

Enterprise Grid subscription

Workspace owners and admins can make 2FA mandatory for members of their workspace(s):

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Workspace settings from the menu.
  3. Click Authentication.
  4. Next to Workspace-wide two-factor authentication, click Expand.
  5. Click Activate two-factor authentication for my workspace, then enter your password.
  6. Customise the Slackbot message for your members if you like.
  7. Click Activate two-factor authentication

    Members will get an email and a Slackbot message to help them get set up. Those who don’t set up 2FA within 24 hours will be signed out and prompted to set up 2FA before signing in again.

Org owners and admins can make 2FA mandatory for any workspaces connected to their Enterprise Grid org:

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration from the menu, then Organisation settings
  3. Under  Security, choose Security.
  4. Click Turn on mandatory 2FA.
  5. Customise the Slackbot message for your members if you like.
  6. Click Turn on mandatory 2FA. 

    Members will get an email and a Slackbot message to help them to get set up. Those who don’t set up 2FA within 24 hours will be signed out and prompted to set up 2FA before signing in again.


Manage mandatory 2FA

Standard and Plus subscriptions

Enterprise Grid subscription

See who has 2FA turned on

Workspace owners and admins can see which members have 2FA set up:

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Manage members from the menu.
  3. On the Members page, select Filters in the top right.
  4. Below Authentication, tick the box next to Two-factor (2FA).

Use 2FA with single sign-on (SSO)

In an Enterprise Grid org, workspace owners and admins can set up 2FA alongside SAML single-sign on (SSO). To do so, make sure to set up 2FA with your identity provider. If you’re using Google authentication with Slack, set up two-step verification with Google.

What to expect:

  • Workspace owners must set up 2FA for themselves to keep their backup password secure.
  • Guests must set up 2FA if they are not required to use SSO.
  • On workspaces where SSO is optional, members can use SSO or their email and password to sign in to Slack. For this reason, these members will also be notified when workspace-wide 2FA is turned on.
  • 2FA will be turned off when a member connects, or binds, their SSO account with Slack.

Troubleshoot locked-out members

If members get locked out, workspace owners and admins can turn off 2FA for them:

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Manage members from the menu.
  3. Click the  three dots icon to the right of the member’s name.
  4. Choose Disable 2FA.

Note: Only the workspace primary owner can turn off 2FA for workspace owners. Likewise, only workspace owners can turn off 2FA for workspace admins.

See who has 2FA turned on

Workspace owners and admins in an Enterprise Grid org can see which members of their workspace have 2FA set up:

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Manage members from the menu. 
  3. On the Members page, select Filters in the top right.
  4. Below Authentication, tick the box next to Two-factor (2FA).

Note: You can’t see which members have 2FA enabled from an organisation’s Admin dashboard at this time.


Use 2FA with single sign-on (SSO)

In an Enterprise Grid org, workspace owners and admins can set up 2FA alongside SAML single-sign on. To do so, make sure to set up 2FA with your identity provider. If you’re using Google authentication with Slack, set up two-step verification with Google.

What to expect:

  • Workspace owners must set up 2FA for themselves to keep their backup password secure.
  • Guests must set up 2FA if they are not required to use SSO.

Troubleshoot locked-out members

If locked out, org owners and admins can turn off 2FA for members:

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Manage members from the menu.
  3. Click the  three dots icon to the right of the member’s name.
  4. Choose Disable 2FA.
Who can use this feature?
  • Workspace owners/admins and org owners/admins can turn on this feature.
  • Available on all subscriptions.

Related articles

Recently viewed articles