Admin settings - Two-factor authentication

Looker provides two-factor authentication (2FA) as an additional layer of security to protect data that is accessible through Looker. With 2FA enabled, every user who logs in must authenticate with a one-time code generated by their mobile device. There is no option to enable 2FA for a subset of users.

The Two-Factor Authentication page in the Authentication section of the Admin menu lets you enable and configure 2FA.

Two-factor authentication does not affect Looker API use.

Two-factor authentication does not affect authentication through external systems such as LDAP, SAML, Google OAuth, or OpenID Connect. 2FA does affect any alternate login credentials used with these systems.

Using two-factor authentication

Following is the high-level workflow for setting up and using 2FA. Please note the time synchronization requirements, which are required for correct operation of 2FA.

  1. Administrator enables 2FA in Looker's admin settings.

    When you enable 2FA, any users logged in to Looker will be logged out and will have to log back in using 2FA.

  2. Individual users install the Google Authenticator iPhone app or Android app on their mobile devices.

  3. At first login, a user will be presented with a picture of a QR code on their computer screen, which they will need to scan with their phone using the Google Authenticator app.

    If the user can't scan a QR code with their phone, there is also an option to generate a text code that they can enter on their phone.

    After completing this step, the users will be able to generate authentication keys for Looker.

  4. On subsequent logins to Looker, the user will need to enter an authentication key after submitting their username and password.

    If a user enables the This is a trusted computer option, the key authenticates the login browser for a 30-day window. During this window the user can log in with username and password alone. Every 30 days Looker requires each user to re-authenticate the browser with Google Authenticator.

Time synchronization requirements

Google Authenticator produces time-based tokens, which require time synchronization between the Looker server and each mobile device in order for the tokens to work. If the Looker server and a mobile device are not synchronized, this can cause the mobile device user to be unable to authenticate with 2FA. To synchronize time sources:

  • Set mobile devices for automatic time synchronization with the network.
  • For customer-hosted Looker deployments, ensure that NTP is running and configured on the server. If the server is provisioned on AWS, you might need to explicitly allow NTP in the AWS Network ACL.
  • A Looker admin can set the maximum allowed time-drift in the Looker Admin panel, which defines how much of a difference is permitted between the server and mobile devices. If a mobile device's time setting is off by more than the allowed drift, authentication keys will not work. The default is 90 seconds.

Resetting two-factor authentication

If a user needs to have their 2FA reset (for example, if they have a new mobile device):

  1. In the Users page in the Admin section of Looker, click Edit on the right-hand side of the user's row to edit the user's account information.
  2. In the Two-Factor Secret section, click Reset. This causes Looker to prompt the user to rescan a QR code with the Google Authenticator app the next time they attempt to log in to the Looker instance.