Setting up MFA in Zoho mail
Multi-Factor Authentication (MFA) is an important part of securing your vital information from identity theft, phishing scams, and all kinds of fraud and bad actors. This involves asking for multiple types or “factors” of authentication that a would-be criminal is unlikely to have at the same time, such as both knowing your password and being in physical possession of a device you own. We are introducing MFA for email access at Heritage in order to keep us all safer. Zoho mail has multiple ways to set this up.
Step 1: Go to your Zoho account page
Click on your profile picture in your mail client, then click My Account
Step 2: Choose Mult-Factor Authentication from the menu
Step 3: Choose your MFA method
From this screen you can turn on MFA yourself (you will not be able to turn it off after June 1), and choose/setup the method you will use.
You can set up multiple methods as a backup or just for your convenience. You will never need to use more than one at a time.
All 5 methods on these page work for logging in to Zoho mail. SMS-based is the simplest to set up, OneAuth passwordless login is probably the most seamless experience.
Method 1: SMS-based OTP – The simplest, least secure option
This should be familiar to most people. You receive a simple text message with a code and you have to enter it. Click on “add a number” and follow the instructions. Due to security vulnerabilities inherent to SMS messages, many software companies are moving away from this and Heritage may not be allowed to use this method in the future.
Method 2: OTP Authentication (Using an authenticator App) – rotating codes that work even without internet
This method involves using an app on your phone such as Google Authenticator, Microsoft Authenticator, or Zoho’s own One-Auth (in TOTP mode) which you can download from the link on this page. This method is more reliable than SMS-based codes, as automated texts are frequently delayed, especially when cell service is poor, and this works EVEN IF YOU HAVE NO CELL SIGNAL.
After choosing OTP Authentication, follow the instructions. From the app, either scan the QR code or manually enter the code on the screen
The app will send you a one-time code which you will enter on the next screen.
Then, it will ask you to Generate New Backup Codes. Go ahead and do that.
Please download or copy these and keep them in a safe place. If you lose access to your device there are all one-time use emergency codes that will get you back into your account, from where you can reset your settings.
Do note that it is possible to transfer codes to a new phone when you upgrade, so hopefully you will never need these codes.
Method 3: Passkey
This option basically uses your phone’s identity as a key. It is saved in your keyring on both iPhone and Android so it should automatically transfer when you upgrade your phone. It is very easy to set up, however, Method 4 below is the easiest to use passkey method.
Method 4: OneAuth passwordless login – the most seamless option
The OneAuth app from Zoho allows you to enter your email address, and interacting with your phone in one of three ways to completely skip typing you password.
Download the OneAuth app here or go to your favorite app store:
Once downloaded, open the OneAuth app and log in with your zoho account username and password.
Go to the MFA tab at the bottom left of your screen, then tap the edit button as seen here.
Once you have enabled MFA using OneAuth, you can configure MFA as per your requirements.
If you want to sign in without entering the password, enable Passwordless sign in.
Select your Preferred sign-in mode. You choose how you confirm sign in with your phone. The three options are push notifications that ask you to click a number, TOTP (rolling codes as in Method 2), and scanning QR code with your phone.
If you want to add another layer of biometric verification, enable Fingerprint authorization/ Face ID authorization.
By entering your email address and then confirming in your preferred sign in method, zoho mail won’t have to ask for your password.
Method 5: Security Key – using a physical USB token and the only option that doesn’t involve a mobile device
This involves a using a physical security key that is inserted in a USB port to activate. This is the only option that doesn’t require use of either a personal or company-owned mobile device for login. If you do not wish to use your phone for logging in, please come talk to the IT department about a security key.