Two Factor Authentication Basics

Knowledge Drop

Last Tested: May 16, 2019
 

What’s Two Factor?

Two Factor Authentication (2FA) is an authentication practice that adds an extra layer of verification. In Looker, your email/password combo is one authentication layer, and you can enable a second layer which sends codes to your phone. That way, an attacker would need to know your email/password and have access to your phone in order to get into your account.
 

What does 2FA change about Looker?

Every single user is subject to 2FA; there are no exceptions when regularly logging in. However, 2FA doesn’t affect:

  • Logging in with your API credentials
  • Logging in with an external authentication system like SAML
  • SSO Embed Links
  • Viewing a Public Look

There is a “stay logged in” checkbox on the 2FA page as well. Checking this means you won’t have to enter a 2FA code for 30 days and can instead just rely on email/password. If this is left unchecked, or if an admin selects “Require every login” in the Admin > Two Factor page, then the user will have to enter the 2FA code with each login. Keep in mind that the actual session length described above is distinct from the frequency of the 2FA code prompt. What that means is that an admin could select “Require every login” for 2FA, but if a user stays logged in for 30 days, then they won’t have to enter a 2FA code until they log out.
 

Troubleshooting

Most questions (what if I get a new phone, why are my codes not being accepted) are answered on the 2FA Doc and 2FA FAQs.
 

This content is subject to limited support.                

Version history
Last update:
‎04-05-2021 09:11 AM
Updated by: