Two-step authentication (OTP)

Two-step authentication in Bitrix24 protects you from instances when your login and password are stolen, either by spyware or a rogue employee. First, you log in with your regular login and password, then you receive your second password via your mobile phone app, enter it – only then you are able to access your account.

How to enable two-step authentication

Open your profile page > click Security.

Click Connect.

You can use any two-step authentication application with Time-based One-time Password Algorithm (TOTP).
Before using two-step authorization, it is important to set the correct time and time zone on the phone. It is also not recommended to change the main time on the phone, i.e. when moving to other locations, use only manual or automatic time zone change.

Follow the instructions provided at the Extra Security Options page:

  • Download the Bitrix24 OTP mobile app on Google Play or on App Store;

  • Launch the application and tap the icon to add a new account;

  • Scan the QR code or enter the code manually;

  • Enter the confirmation code.

Done! You need to enter your one-time password generated in the Bitrix24 OTP app each time you log in to your Bitrix24 account.

Recovery codes

Two-step authentication in Bitrix24 is set for a specific user's phone (not a number, but the device). So if you've decided to change your phone or have lost it, you'll need to configure two-step authentication again. But to re-configure it, you need to log in to your Bitrix24 and enter your one-time password. For such cases, you can use one of your Recovery codes. Each code can be used only once. We strongly recommend you to print these codes or to save them to a text file.

If you've forgotten or lost your recovery codes, ask your administrator to temporarily disable the two-step authentication for you. Then configure it again after logging in.

Application passwords

If users who have activated two-step authorization are also using any outside services that synchronize data with Bitrix24 accounts (mobile and desktop apps, MS Office, MS Outlook, Google Calendars, etc.), a special separate password needs to be generated for each app in order to keep the app synchronized with Bitrix24.

You can get these passwords in the Application passwords section.

For mobile and desktop applications, the password is generated automatically when you first log in after entering the one-time password. But you can also get a special password on the "Application passwords" page first and use it instead of the password in the mobile and desktop apps.

Make two-step authentication mandatory for all users

If you want to make two-step authentication mandatory for all users, click Settings in the main menu > scroll down to the Security section and enable the Make two-step authorization mandatory for all users option. Also, you can Specify the period of time within which all the employees will have to enable two-step authentication.

Wrong OTP Error

In case you have configured the OTP option correctly, but the password generated by the phone OTP app is not accepted – the problem may be connected with the Time Settings of your phone. Right now the OTP password has an activity time frame of 30 minutes. If your phone and your Bitrix24 time difference is more than 30 minutes, you won’t be able to log in. You should set the same time zone for your Bitrix24 account and your phone.

Two-step authentication in Bitrix24 On-Premise

Two-step authentication by time (TOTP) and by counter (HOTP) is available in Bitrix24 On-Premise version.

You can connect two-step authentication through the mobile app or special electronic devices - key fobs, such as eToken.

First you need to enable two-step authentication in the administrative interface in Proactive protectionTwo-step authentication section.

Make the necessary settings in the Settings tab, in particular set the default password generation algorithm - by time (TOTP) or by counter (HOTP).

Then you can choose connection via the public part in user page My Bitrix24.

You can also connect two-step authentication in the administrative interface. Go to the user profile and select the desired option in the Two-step authentication tab.

In the administrative interface in the user profile, you can select any option to connect two-step authorization. In the public part in My Page, you can connect only in the way that is selected by default in the settings of the Proactive protection module.

If there is no Two-step authentication tab in the user profile, you need to adjust the form view or cancel its setting: click the gear in the right corner of the form and select the appropriate item.
This helped
Thanks :)
Article feedback
This didn't help
Sorry :(
Could you please tell us why:
Article feedback
I still have questions