Emergency access for SSO

To prevent lockouts, account admins can set up single sign-on (SSO) emergency access for up to ten users. These users can sign into Databricks using a password and multi-factor authentication (MFA). If you do not configure emergency access and you are locked out of SSO, contact support.

Note

Emergency access users can continue to use a password with MFA to log in to Databricks after end of life for Databricks-managed passwords. See End of life for Databricks-managed passwords.

Configure users for emergency access

Single sign-on must be configured in the account console in order to configure emergency access. See Configure SSO in Databricks.

  1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Single sign-on tab.

  3. In Emergency access, choose up to ten users that can sign in using emergency access. These users must register security keys.

  4. Click Save.

    It might take up to two minutes for the users to see the security key management page.

Create a password for emergency access

Users configured for emergency access log in using a Databricks-managed password and MFA. Databricks recommends configuring a strong password

  1. As a user with emergency access, log in to the account console.

  2. Click the down arrow next to your username in the upper-right corner.

  3. Click User preferences.

  4. Under Authentication, in Multi-factor authentication, click reset password.

  5. Follow the instructions sent to your email.

Register a security key for emergency access

A security key can be hardware-based, like a physical security key, or software-based, like a mobile authenticator app. For example, you can use a YubiKey hardware key or iCloud Keychain. Databricks recommends configuring at least one hardware key. For a list of verified security keys, see Multi-factor authentication methods. To register a security key:

  1. As a user with emergency access, log in to the account console.

  2. Click the down arrow next to your username in the upper-right corner.

  3. Click User preferences.

  4. Under Authentication, next to Multi-factor authentication, click Add key.

  5. Click Set up and follow the browser prompts to configure your key.

After you configure your key, you will see a Databricks notification that the security key was added successfully.

Login to Databricks using a security key

To login using emergency access and a security key:

  1. As a user with emergency access, go to the account console.

  2. Click Sign in with Databricks credentials.

  3. Enter your username and password. Click Continue.

  4. Follow the browser prompt to use your security key.

Multi-factor authentication methods

The following MFA methods are verified for emergency access. Databricks recommends using hardware keys, which provide the highest security as they store the cryptographic keys in a secure, tamper-proof environment. Time-based one-time passwords (TOTP) are not supported.

Hardware keys

  • Yubico YubiKey 5 Series

  • Yubico YubiKey 5 FIPS Series

  • Yubico Security Key Series

  • Excelsecu eSecu Security Key

Software keys

  • 1Password

  • iCloud Keychain

  • Bitwarden

  • Keeper

  • Samsung Pass

  • Dashlane

  • NordPass

  • Proton Pass