Emergency access to prevent lockouts
To prevent lockouts, account admins can set up emergency access for up to 20 users. These users can sign into Databricks using a password and multi-factor authentication (MFA). If you do not configure emergency access and you are locked out of Databricks, contact support.
Configure users for emergency access
-
As an account admin, log in to the account console and click Security.
-
Click the Authentication tab.
-
In Emergency access, choose up to 20 users that can sign in using emergency access. These users must register at least one passkey (FIDO2/WebAuthn credential).
To use emergency access in a workspace using legacy workspace-level single sign-on (unified login disabled), the user must also be a workspace admin.
-
Click Save.
After you add users to the emergency access list, the Authentication section appears in their account settings. It might take up to two minutes for users to see the authentication options. Users can then add a passkey for MFA and trigger a password reset through their email.
Create a password for emergency access
Users configured for emergency access log in using a Databricks-managed password and MFA. Password must be at least eight characters long, contain at least one number, one symbol, and have a mixture of uppercase and lowercase letters.
-
As a user with emergency access, log in to the account console.
-
Click your username in the top bar and select My preferences.
-
Under Authentication, in Multi-factor authentication, click reset password.
-
Follow the instructions sent to your email to complete the password reset process.
Register a passkey for emergency access
Emergency access requires at least one passkey (FIDO2/WebAuthn credential). A passkey can be hardware-based, such as a physical security key, or platform-based, such as a built-in device authenticator. For example, you can use a YubiKey configured for FIDO2/WebAuthn, or iCloud Keychain. Databricks recommends configuring at least one hardware security key. To register a passkey:
- As a user with emergency access, log in to the account console.
- Click your username in the top bar and select My preferences.
- Under Authentication, next to Multi-factor authentication, click Add key. For a list of verified passkeys, see Multi-factor authentication methods.
- Click Set up and follow the browser prompts to configure your key.
After you configure your key, you will see a Databricks notification that the security key was added successfully.
Log in to Databricks using emergency access
You must be configured for emergency access to log in to Databricks using a passkey. You must also be a workspace admin to log in to a workspace using legacy workspace-level SSO (unified login disabled).
To log in to Databricks using emergency access and a passkey:
- As a user with emergency access, go to
https://accounts.cloud.databricks.com/login/mfa?account_id=<account-id>. Replace<account-id>with your account ID. - Enter your username and password. Click Continue.
- Follow the browser prompt to use your security key.
Multi-factor authentication methods
The following passkey types are verified for emergency access. Databricks recommends using hardware security keys, which provide the highest security as they store the cryptographic keys in a secure, tamper-proof environment.
Time-based one-time passwords (TOTP) are not supported for emergency access. This includes YubiKey in OTP/TOTP mode, Google Authenticator, Microsoft Authenticator, and similar 6-digit code generators. A YubiKey must be configured for FIDO2/WebAuthn, not OTP, to work with emergency access.
Hardware security keys
- Yubico YubiKey 5 Series (configured for FIDO2/WebAuthn)
- Yubico YubiKey 5 FIPS Series (configured for FIDO2/WebAuthn)
- Yubico Security Key Series
- Excelsecu eSecu Security Key
Platform passkeys and passkey managers
- 1Password
- Bitwarden
- Dashlane
- iCloud Keychain
- Keeper
- NordPass
- Proton Pass
- Samsung Pass
- Windows Hello