Looker provides two-factor authentication (2FA) as an additional layer of security to protect data accessible via Looker. With two-factor authentication enabled, every user must authenticate using a one-time code generated by their mobile device when logging in.
The single source of truth for setting this up is the Two-Factor Setup Doc. Here we gather some commonly asked questions.
How do I get into Looker if I get a new phone?
Looker support doesn't make changes to access settings for security reasons but a company admin on your Looker instance can reset your 2FA code:
- Go to admin > users > edit (on the particular user)
- click "Reset" next to the Two Factor Secret section
This will prompt the user to re-scan the QR code with their Google Authentication app the next time they navigate to your Looker instance. If all the admins on your instance are locked out, contact firstname.lastname@example.org and we'll take emergency steps.
Why are my Two Factor Authentication (2FA) codes not being accepted?
This is most commonly caused by the time on your phone and the time on Looker being out of sync. Try changing your phone time to Automatic or increasing the Drift time in the Looker 2FA panel. This is discussed in its own article and the setup doc.
How does 2FA work with the API?
It doesn't. According to the Two-Factor Setup Doc, 2FA has no effect on API usage.
Can I use 2FA with [LDAP/SAML/Google Auth]?
Two-factor authentication only impacts email-password logins. It does not have an effect on authentication via LDAP, SAML, or Google Auth credentials.
How do I scan the QR code if my phone camera is broken?
You don't have to - there is an option to enter a text code instead.
Can I enable 2FA for a subset of users?
No, it is all or nothing. Feel free to explain your use case in the comments if you think this would be useful for your instance!