Zuora Logo

Happy Business Starts Here

No 2FA for API Users

No 2FA for API Users

Status: Under Consideration Submitted by Guru on ‎08-03-2017 08:18 AM
2 Comments (2 New)

One of our customers managed to turn on 2FA for all users, including the API users for different integrations (sfdc, customer center, etc.). It took a while for us to figure out why all of a sudden nothing was working.

Perhaps it would be a good idea to disable 2FA for API users all together?

Cheers,

Andrew

2 Comments
lukasz
Zuora Product Team
Zuora Product Team
‎08-03-2017 02:07 PM
‎08-03-2017 02:07 PM
Status changed to: Under Consideration

@Andrew8ken, interesting. We've not run into this issue before, usually 2FA and API users don't interact with each other, unless the user has both API and UI access (not best practice) and their actions with the UI locks them out. Is that the case here?

Andrew8ken
Guru
Guru
‎08-04-2017 12:52 AM
‎08-04-2017 12:52 AM

Hi Lukasz,

Unfortunately I cant nail down the exact chain of events as it was the customer who (inadvertantly) caused this. 

I dont know if they globally enabled 2FA for all users (would this activate it for API Users too?) or somehow went through and activated for each individual user including the API users. API Users are not granted UI Acces.

I noticed in the morning that I was asked to set up 2FA for my system user, but thought nothing of it. We were later testing a quoting flow in SFDC and the "create quote pdf" was constantly redirecting to the Zuora home page instead of creating the pdf / Word documents.

I found this handy article

https://community.zuora.com/t5/Zuora-for-Salesforce/Why-getting-redirected-to-the-Zuora-login-page-w...

which brought me to the root of the issue: The Salesforce API user we's set up also had 2FA activated. I saw some other integrations with their own API users were not working either and realized all of them had 2FA activated. Simply deactivating it solved everything, obviously.

I haven't gotten to the bottom of how this actually happened, the idea above would just prevent inadvertantly setting up 2FA for API Users used for external integrations and then not realizing why evrything stops working after Smiley Happy

Thanks,

Andrew