Emergency access to prevent lockouts
To prevent lockouts, account admins can set up emergency access for up to 20 users. These users can sign into Databricks using a password and multi-factor authentication (MFA). If you do not configure emergency access and you are locked out of Databricks, contact support.
Configure users for emergency access
-
As an account admin, log in to the account console and click Security.
-
Click the Authentication tab.
-
In Emergency access, choose up to 20 users that can sign in using emergency access. These users must register security keys.
To use emergency access in a workspace using legacy workspace-level single sign-on (unified login disabled), the user must also be a workspace admin.
-
Click Save.
After you add users to the emergency access list, the Authentication section appears in their account settings. It might take up to two minutes for users to see the authentication options. Users can then add a security key for MFA and trigger a password reset through their email.
Create a password for emergency access
Users configured for emergency access log in using a Databricks-managed password and MFA. Password must be at least eight characters long, contain at least one number, one symbol, and have a mixture of uppercase and lowercase letters.
-
As a user with emergency access, log in to the account console.
-
Click your username in the top bar and select My preferences.
-
Under Authentication, in Multi-factor authentication, click reset password.
-
Follow the instructions sent to your email to complete the password reset process.
Register a security key for emergency access
A security key can be hardware-based, like a physical security key, or software-based, like a mobile authenticator app. For example, you can use a YubiKey hardware key or iCloud Keychain. Databricks recommends configuring at least one hardware key. To register a security key:
- As a user with emergency access, log in to the account console.
- Click your username in the top bar and select My preferences.
- Under Authentication, next to Multi-factor authentication, click Add key. For a list of verified security keys, see Multi-factor authentication methods
- Click Set up and follow the browser prompts to configure your key.
After you configure your key, you will see a Databricks notification that the security key was added successfully.
Log in to Databricks using emergency access
You must be configured for emergency access to log in to Databricks using a security key. You must also be a workspace admin to log in to a workspace using legacy workspace-level SSO (unified login disabled).
To log in to Databricks using emergency access and a security key:
- As a user with emergency access, go to
https://accounts.cloud.databricks.com/login/mfa?account_id=<account-id>. Replace<account-id>with your account ID. - Enter your username and password. Click Continue.
- Follow the browser prompt to use your security key.
Multi-factor authentication methods
The following MFA methods are verified for emergency access. Databricks recommends using hardware keys, which provide the highest security as they store the cryptographic keys in a secure, tamper-proof environment. Time-based one-time passwords (TOTP) are not supported for emergency access.
Hardware keys
- Yubico YubiKey 5 Series
- Yubico YubiKey 5 FIPS Series
- Yubico Security Key Series
- Excelsecu eSecu Security Key
Software keys
- 1Password
- Bitwarden
- Dashlane
- iCloud Keychain
- Keeper
- NordPass
- Proton Pass
- Samsung Pass
- Windows Hello