Emergency access to prevent lockouts
To prevent lockouts, account admins can set up emergency access for up to 20 users. These users can sign into Databricks using a password and multi-factor authentication (MFA). If you do not configure emergency access and you are locked out of Databricks, contact support.
Emergency access users can continue to use a password with MFA to log in to Databricks after end of life for Databricks-managed passwords. See End of life for Databricks-managed passwords.
Configure users for emergency access
-
As an account admin, log in to the account console and click the Settings icon in the sidebar.
-
Click the Authentication tab.
-
In Emergency access, choose up to 20 users that can sign in using emergency access. These users must register security keys.
To use emergency access in a workspace using legacy workspace-level single sign-on (unified login disabled), the user must also be a workspace admin.
-
Click Save.
It might take up to two minutes for the users to see the security key management page.
Create a password for emergency access
Users configured for emergency access log in using a Databricks-managed password and MFA. Databricks recommends configuring a strong password.
- As a user with emergency access, log in to the account console.
- Click your username in the top bar and select User preferences.
- Under Authentication, in Multi-factor authentication, click reset password.
- Follow the instructions sent to your email.
Register a security key for emergency access
A security key can be hardware-based, like a physical security key, or software-based, like a mobile authenticator app. For example, you can use a YubiKey hardware key or iCloud Keychain. Databricks recommends configuring at least one hardware key. For a list of verified security keys, see Multi-factor authentication methods. To register a security key:
- As a user with emergency access, log in to the account console.
- Click your username in the top bar and select User preferences.
- Under Authentication, next to Multi-factor authentication, click Add key.
- Click Set up and follow the browser prompts to configure your key.
After you configure your key, you will see a Databricks notification that the security key was added successfully.
Log in to Databricks using emergency access
You must be configured for emergency access to log in to Databricks using a security key. You must also be a workspace admin to log in to a workspace using legacy workspace-level SSO (unified login disabled).
To log in to Databricks using emergency access and a security key:
- As a user with emergency access, go to the account console or your workspace.
- Click Sign in with Databricks credentials.
- Enter your username and password. Click Continue.
- Follow the browser prompt to use your security key.
Multi-factor authentication methods
The following MFA methods are verified for emergency access. Databricks recommends using hardware keys, which provide the highest security as they store the cryptographic keys in a secure, tamper-proof environment. Time-based one-time passwords (TOTP) are not supported for emergency access.
Hardware keys
- Yubico YubiKey 5 Series
- Yubico YubiKey 5 FIPS Series
- Yubico Security Key Series
- Excelsecu eSecu Security Key
Software keys
- 1Password
- Bitwarden
- Dashlane
- iCloud Keychain
- Keeper
- NordPass
- Proton Pass
- Samsung Pass
- Windows Hello