Two-Factor Authentication (2FA)
Add an extra layer of security by requiring a second verification method when logging in.Enabling 2FA
1
Open security settings
Navigate to Settings → Account → Security
2
Choose 2FA method
Select your preferred authentication method:
- Authenticator app (recommended)
- SMS text message
- Email code
3
Set up authentication
Follow the setup process for your chosen method.For authenticator apps:
- Scan the QR code with your app (Google Authenticator, Authy, etc.)
- Enter the 6-digit code from your app
- Save backup codes
- Enter your phone number
- Verify with the code sent via text
- Save backup codes
- Verify your email address
- Codes will be sent to your registered email
- Save backup codes
4
Save backup codes
Store backup codes:
- In a password manager
- Printed and stored securely
- In a secure note-taking app
5
2FA enabled
Your account is now protected with two-factor authentication.
Using 2FA
When logging in with 2FA enabled:- Enter your email and password
- Enter the 6-digit code from your authenticator app, SMS, or email
- Check “Trust this device” to skip 2FA for 30 days on this device (optional)
- Complete login
Trusted devices are cleared when you change your password or disable 2FA for security reasons.
Managing 2FA
Change 2FA method:- Settings → Security → Two-Factor Authentication
- Click “Change Method”
- Select new method and complete setup
- Settings → Security → Two-Factor Authentication
- Click “Disable 2FA”
- Confirm with password and current 2FA code
- Settings → Security → Two-Factor Authentication
- Click “Generate New Backup Codes”
- Save the new codes securely
Troubleshooting 2FA
Lost access to authenticator app
Lost access to authenticator app
Solution:
- Use a backup code to log in
- Go to Security settings
- Reconfigure 2FA with a new device
- Generate new backup codes
Backup codes not working
Backup codes not working
Solution:
- Ensure you’re using codes from the most recent generation
- Check for typos (codes are case-sensitive)
- Verify you haven’t already used the code (single-use only)
- Contact support if all codes fail
Not receiving SMS codes
Not receiving SMS codes
Solution:
- Check phone has cell signal
- Verify phone number is correct
- Check SMS isn’t blocked by carrier
- Try switching to authenticator app method
- Use a backup code to access account
Single Sign-On (SSO)
Enterprise Single Sign-On allows organizations to manage authentication centrally through their identity provider.SSO is available on Enterprise plans only. Contact sales for more information.
Supported identity providers
ZeroTwo supports standard SAML 2.0 and OAuth 2.0 identity providers:- Okta
- Azure Active Directory / Microsoft Entra ID
- Google Workspace
- OneLogin
- Auth0
- Custom SAML 2.0 providers
Setting up SSO (Admin)
1
Access admin console
Navigate to Organization Settings → Security → Single Sign-On
2
Choose provider
Select your identity provider from the list or choose “Custom SAML 2.0”
3
Configure provider
Enter required information:
- SSO URL / Login URL
- Entity ID / Identifier
- X.509 Certificate
- ACS URL (Assertion Consumer Service)
- Entity ID
- Audience URI
4
Test connection
Use the “Test SSO” button to verify configuration before enabling for all users.
5
Enable SSO
SSO is now active for your organization. Users can log in through your identity provider.
User experience with SSO
When SSO is enabled for your organization:- Go to zerotwo.ai and click “Sign In”
- Enter your work email
- You’re redirected to your organization’s login page
- Authenticate with your company credentials
- You’re redirected back to ZeroTwo, logged in
SSO configuration options
Provisioning:- Automatic user provisioning (SCIM)
- Just-in-time (JIT) provisioning
- Manual user management
- Enforce SSO for all organization members
- Allow password fallback for admins
- Configure session timeouts
- Require re-authentication intervals
- Map user attributes from IdP to ZeroTwo
- Assign roles based on IdP groups
- Sync profile information
SSO security features
Security benefits:
- Centralized authentication management
- Single point for access control
- Consistent password policies
- Automatic deprovisioning when users leave
- Audit logging of authentication events
- Conditional access policies
Troubleshooting SSO
SSO login fails
SSO login fails
Solutions:
- Verify SSO configuration in both ZeroTwo and IdP
- Check certificate is valid and not expired
- Ensure URLs are correct (no trailing slashes)
- Test with admin account first
- Check IdP logs for error details
- Verify user is assigned to ZeroTwo application in IdP
Users can't access after SSO enabled
Users can't access after SSO enabled
Solutions:
- Ensure users are provisioned in ZeroTwo
- Check IdP application assignment
- Verify email addresses match
- Enable JIT provisioning if not using SCIM
- Check organization SSO settings allow access
Certificate errors
Certificate errors
Solutions:
- Verify certificate format (PEM)
- Ensure certificate includes header/footer
- Check certificate hasn’t expired
- Download fresh certificate from IdP
- Remove extra whitespace or characters
Best practices
1
Use 2FA always
Enable 2FA even if your organization uses SSO for additional security.
2
Save backup codes
Store backup codes securely and update them when regenerated.
3
Use authenticator apps
Authenticator apps are more secure than SMS for 2FA.
4
Regular audits
Periodically review authorized devices and sessions.
5
Test SSO changes
Always test SSO configuration changes with a test account before rolling out to all users.