Looker provides two-factor authentication (2FA) as an additional layer of security to protect data accessible via Looker. With two-factor authentication enabled, every user must authenticate using a one-time code generated by their mobile device when logging in.
The single source of truth for setting this up is the Two-Factor Setup Doc. Here we gather some commonly asked questions.
How do I get into Looker if I get a new phone?
Looker support doesn’t make changes to access settings for security reasons. An admin on your Looker instance can reset your 2FA code by following these instructions:
- Go to Admin > Users > Edit (on the particular user)
- click “Reset” next to the Two Factor Secret section
This will prompt the user to re-scan the QR code with their Google Authentication app the next time they navigate to your Looker instance. If all the admins on your instance are locked out, contact email@example.com and we’ll take emergency steps.
Why are my Two Factor Authentication (2FA) codes not being accepted?
This is most commonly caused by the time on your phone and the time on Looker being out of sync. Try changing your phone time to Automatic or increasing the Drift time in the Looker 2FA panel.
How does 2FA work with the API?
It doesn’t. According to the Two-Factor Setup Doc, 2FA has no effect on API usage.
Can I use 2FA with [LDAP/SAML/Google Auth/OpenID Connect]?
Two-factor authentication does not have an effect on authentication via external systems such as LDAP, SAML, Google Auth, or OpenID Connect. It does, however, affect any "Alternate Login" credentials used with these systems.
How do I scan the QR code if my phone camera is broken?
You don’t have to scan the QR code- there is an option to enter a text code instead.
Can I enable 2FA for a subset of users?
No, it is all or nothing. But please, we invite you to explain your use case in the comments if you have some ideas for how you would use this.