Looker provides two-factor authentication (2FA) as an additional layer of security to protect data accessible via Looker. Looker admins can enable 2FA on the Two-Factor Admin page. With 2FA enabled, every user must authenticate using a one-time code, generated by their mobile device, when they log in.
The single source of truth for setting this up is the Two-Factor Authentication documentation page. Here we gather some commonly asked questions:
How do I get into Looker if I get a new phone?
For security reasons, Looker Support does not make changes to access settings. An admin on your Looker instance can reset your 2FA code by following these instructions:
- Go to Admin > Users > Edit (for the particular user).
- Click Reset next to the Two Factor Secret section. (This section will not appear if you are using authentication via external systems such as LDAP, SAML, Google OAuth, or OpenID Connect and the user does not have alternate login credentials.)
This will prompt the user to re-scan the QR code with their Google Authentication app the next time they navigate to your Looker instance. If all the admins on your instance are locked out, contact Looker Support to take emergency steps.
Why are my 2FA codes not being accepted?
This is most commonly caused by the time on your phone and the time on Looker being out of sync. Try changing your phone time to Automatic or increasing the Drift time in the Looker 2FA panel.
How does 2FA work with the Looker API?
It doesn't. According to the Two-Factor Authentication documentation page, 2FA has no effect on API usage.
Can I use 2FA with LDAP, SAML, Google Auth, or OpenID Connect?
Two-factor authentication does not have an effect on authentication via external systems such as LDAP, SAML, Google Auth, or OpenID Connect. It does, however, affect any alternate login credentials used with these systems, so the user must have a role with login_special_email
permissions.
How do I scan the QR code if my phone camera is broken?
You don't have to scan the QR code. There is an option to enter a text code instead.
Can I enable 2FA for a subset of users?
No. When 2FA is on, it will apply to all users on your Looker instance.