Emergency access to prevent lockouts

To prevent lockouts, account admins can set up emergency access for up to 20 users. These users can sign into Databricks using a password and multi-factor authentication (MFA). If you do not configure emergency access and you are locked out of Databricks, contact support.

Note

Emergency access users can continue to use a password with MFA to log in to Databricks after end of life for Databricks-managed passwords. See End of life for Databricks-managed passwords.

Configure users for emergency access

  1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Authentication tab.

  3. In Emergency access, choose up to 20 users that can sign in using emergency access. These users must register security keys.

    To use emergency access in a workspace using legacy workspace-level single sign-on (unified login disabled), the user must also be a workspace admin.

  4. Click Save.

    It might take up to two minutes for the users to see the security key management page.

Create a password for emergency access

Users configured for emergency access log in using a Databricks-managed password and MFA. Databricks recommends configuring a strong password.

  1. As a user with emergency access, log in to the account console.

  2. Click the down arrow next to your username in the upper-right corner.

  3. Click User preferences.

  4. Under Authentication, in Multi-factor authentication, click reset password.

  5. Follow the instructions sent to your email.

Register a security key for emergency access

A security key can be hardware-based, like a physical security key, or software-based, like a mobile authenticator app. For example, you can use a YubiKey hardware key or iCloud Keychain. Databricks recommends configuring at least one hardware key. For a list of verified security keys, see Multi-factor authentication methods. To register a security key:

  1. As a user with emergency access, log in to the account console.

  2. Click the down arrow next to your username in the upper-right corner.

  3. Click User preferences.

  4. Under Authentication, next to Multi-factor authentication, click Add key.

  5. Click Set up and follow the browser prompts to configure your key.

After you configure your key, you will see a Databricks notification that the security key was added successfully.

Log in to Databricks using emergency access

You must be configured for emergency access to log in to Databricks using a security key. You must also be a workspace admin to log in to a workspace using legacy workspace-level SSO (unified login disabled).

To log in to Databricks using emergency access and a security key:

  1. As a user with emergency access, go to the account console or your workspace.

  2. Click Sign in with Databricks credentials.

  3. Enter your username and password. Click Continue.

  4. Follow the browser prompt to use your security key.

Multi-factor authentication methods

The following MFA methods are verified for emergency access. Databricks recommends using hardware keys, which provide the highest security as they store the cryptographic keys in a secure, tamper-proof environment. Time-based one-time passwords (TOTP) are not supported.

Hardware keys

  • Yubico YubiKey 5 Series

  • Yubico YubiKey 5 FIPS Series

  • Yubico Security Key Series

  • Excelsecu eSecu Security Key

Software keys

  • 1Password

  • iCloud Keychain

  • Bitwarden

  • Keeper

  • Samsung Pass

  • Dashlane

  • NordPass

  • Proton Pass