This Zoho OneAuth setup guide covers everything in one place — from the first app download to the exact Admin Console navigation path, all four authentication methods explained, backup codes you must generate before you need them, the complete recovery procedure if you are locked out after losing your phone, Mac desktop app installation, organisation-wide admin MFA enforcement, trusted device management, and troubleshooting every common failure. Whether you are setting up Zoho OneAuth as an individual user, a business owner rolling out MFA across your team, or a Zoho admin who needs to enforce authentication policies across Zoho One or Zoho CRM — this guide gives you the complete, step-by-step walkthrough that Zoho’s official documentation keeps spread across multiple pages.
Zoho OneAuth is Zoho’s official multi-factor authentication app — available for Android, iOS, Mac, and Windows. It protects every Zoho product login: Zoho CRM, Zoho Books, Zoho Mail, Zoho One, Zoho Desk, and all other Zoho applications under your account. Setting it up correctly — including backup codes and recovery options — takes 15 minutes and prevents the single biggest account security failure: a password breach leading to full account takeover.
Written by Codroid Labs — Certified Zoho Partner | April 2026 | 16 min read
Zoho Security Expert Guide
Zoho OneAuth — Key Facts at a Glance
Platforms
Android, iOS,
Mac, Windows
Mac, Windows
Auth Methods
Push, TOTP,
QR Code, Biometric
QR Code, Biometric
Backup Codes
10 one-time codes,
generate before needed
generate before needed
Cost
Free for all
Zoho account holders
Zoho account holders
Table of Contents
- What Is Zoho OneAuth?
- Download Zoho OneAuth — All Platforms
- Setup Guide — Individual User
- 4 Authentication Methods Compared
- Backup Codes — Generate and Store
- Zoho OneAuth for Mac — Desktop Setup
- Admin Guide — Enforce MFA for Organisation
- Trusted Devices Management
- Locked Out? Complete Recovery Guide
- Troubleshooting — Every Common Issue Fixed
1. What Is Zoho OneAuth?
Zoho OneAuth is Zoho’s official multi-factor authentication (MFA) app. It adds a second verification step to every Zoho account login — meaning even if someone steals your password through phishing or a data breach, they cannot access your account without also approving the second factor on your registered device.
Zoho OneAuth is not a third-party TOTP app like Google Authenticator or Authy. It is built specifically for Zoho’s ecosystem and offers deeper integration — including push notification approvals (no code to type), biometric authentication, passwordless sign-in, and organisation-wide MFA enforcement through the Zoho Admin Console. It protects every Zoho product login under your account: Zoho CRM, Zoho Books, Zoho Mail, Zoho One, Zoho Desk, Zoho People, Zoho Analytics, and all other Zoho applications.
| Feature | Zoho OneAuth | Standard TOTP App |
|---|---|---|
| Push notification approval (tap to approve) | Yes | No |
| Time-based OTP (TOTP) — works offline | Yes | Yes |
| Biometric authentication (fingerprint, face) | Yes | No |
| Passwordless login to Zoho | Yes | No |
| Mac and Windows desktop app | Yes | No |
| Admin-enforced MFA for entire organisation | Yes | No |
| Trusted device management | Yes | No |
2. Zoho OneAuth Download — All Platforms
Zoho OneAuth is available for all major platforms. Use the appropriate download link for your device. The app is free for all Zoho account holders — no additional subscription required.
Android — Google Play Store
The Zoho OneAuth Android app is available on the Google Play Store. It supports Android 6.0 and above. The app supports push notifications, TOTP, biometric fingerprint authentication, and offline TOTP code generation.
iOS — Apple App Store
The Zoho OneAuth iOS app is available on the Apple App Store. It supports iOS 13 and above, including iPhone and iPad. Supports push notification approvals, Face ID and Touch ID biometrics, and offline TOTP.
Mac — Desktop App
Zoho OneAuth for Mac is a dedicated desktop application for macOS 10.14 (Mojave) and above. Available from the Mac App Store or directly from Zoho Accounts. Allows Mac users to approve Zoho logins directly from their desktop without needing their phone. Full setup guide in Section 6.
Windows — Desktop App
Zoho OneAuth for Windows is available from the Microsoft Store. Supports Windows 10 and above. The Windows desktop app allows push approval, TOTP display, and passwordless sign-in directly from your Windows machine — ideal for office desktop setups where pulling out a phone is inconvenient.
Bundle note: Zoho OneAuth is a separate app from Zoho One (the all-in-one business suite). Zoho One is a business software bundle at ₹1,250/employee/month. Zoho OneAuth is the free authentication app used to secure logins to any Zoho product — including Zoho One.
3. Zoho OneAuth Setup Guide — Individual User (Step by Step)
This Zoho OneAuth setup guide covers the complete configuration for an individual Zoho account user. The entire process takes approximately 10-15 minutes. After setup, every Zoho product login requires your second factor from the OneAuth app.
Step 1 — Download and Install the App
Download Zoho OneAuth from the Play Store (Android) or App Store (iOS) using the links in Section 2. Open the app after installation. You will see a welcome screen with options to sign in with your Zoho account or set up without signing in. Either path works — for the tightest integration, sign in with your Zoho account credentials.
Step 2 — Open Zoho Accounts Security Settings
On your computer browser, navigate to:
accounts.zoho.com → Security → Multi-Factor Authentication
Log in with your Zoho email and password. In the Security section, find Multi-Factor Authentication and click Enroll Now or Enroll in MFA. If MFA is already enabled with a different method, you can add OneAuth as an additional or replacement method.
Step 3 — Select Zoho OneAuth as Your Authenticator
On the MFA enrollment screen, you will see multiple options: Zoho OneAuth, Google Authenticator, SMS, and others. Select Zoho OneAuth. The browser will display a QR code. This QR code links your Zoho account to the OneAuth app. Keep this browser screen open — do not close it yet.
Step 4 — Scan the QR Code in the OneAuth App
Open the Zoho OneAuth app on your phone. Tap the + icon (Add Account) or scan icon. The app will activate your camera. Point your phone camera at the QR code displayed on your computer browser. When the QR code is recognised, your Zoho account will appear in the OneAuth app immediately — usually named with your email address. A 6-digit rotating TOTP code will start displaying with a countdown timer.
Step 5 — Verify with the TOTP Code
Back in your browser, the Zoho Accounts page will ask you to enter the verification code. Enter the 6-digit code currently showing in your OneAuth app. The code refreshes every 30 seconds — if the timer shows less than 5 seconds remaining, wait for the next code. Click Verify. A success message confirms OneAuth is now linked to your Zoho account.
Step 6 — Generate Backup Codes IMMEDIATELY
After verification, the page will offer to generate backup codes. Do this now before closing the page. Backup codes are your only way back in if you lose your phone. See Section 5 for the complete backup codes guide.
Step 7 — Test Your Setup
Sign out of your Zoho account. Sign back in with your email and password. When the MFA prompt appears, approve using your OneAuth app. Successful login confirms the setup is working correctly. Test all authentication methods you intend to use (push notification, TOTP) to confirm each works before you rely on them in daily work.
Setup complete checklist: OneAuth app installed on phone. QR code scanned and account linked. TOTP code verified during enrollment. Backup codes generated and stored safely. Test login completed successfully.
4. All 4 Zoho OneAuth Authentication Methods — Compared
Zoho OneAuth supports four distinct authentication methods. Understanding when to use each one is essential for both convenience and security. You can switch between methods or set a preferred method in the OneAuth app settings at any time.
Push Notification
Most Convenient — Recommended for Daily Use
When you sign in to any Zoho product on a browser or desktop, a push notification is sent to your registered phone. You tap Approve or Deny on the notification. No code to type, no app to open. Login completes in under 3 seconds.
Requires: Active internet on your phone. Best for: Daily office use, frequent Zoho logins.
TOTP (Time-Based One-Time Password)
Most Reliable — Works Offline
A 6-digit code generated by the OneAuth app that refreshes every 30 seconds. You open the app, read the code, and type it into the Zoho login prompt. Works completely offline — no internet needed on your phone. This is the fallback method when push notifications fail.
Requires: Nothing — works offline. Best for: Travel, poor internet, as backup to push.
QR Code
For Screen-Based Authentication
The Zoho login screen displays a QR code. You open the OneAuth app, select Scan QR, and scan the code on screen with your phone camera. The login is approved immediately. Useful when your phone has no internet but your computer does — and the QR code can be scanned without network connectivity.
Requires: Phone camera. Best for: New device login, shared computer access.
Biometric
Fastest on Supported Devices
Instead of a code or push notification, you use your phone’s fingerprint scanner or face recognition to approve the Zoho login. When a login request arrives on your phone, the OneAuth app prompts you to authenticate with your fingerprint or face ID. No code to type, no tap — just biometric verification.
Requires: Phone with fingerprint or Face ID. Best for: Fastest daily authentication on supported phones.
Recommended setup: Configure Push Notification as your primary method and TOTP as your fallback. Push gives the fastest daily experience; TOTP works when your phone has no internet. Always generate backup codes as the final emergency recovery option.
5. Backup Codes — Generate, Store, and Use Them Correctly
Backup codes are the most critical — and most commonly neglected — part of any MFA setup. They are your emergency access method when your phone is lost, stolen, damaged, or simply unavailable. Most users who get locked out of Zoho did not generate backup codes during their Zoho OneAuth setup.
How to Generate Backup Codes in Zoho OneAuth
From Zoho Accounts Website
Navigate to:
accounts.zoho.com → Security → Multi-Factor Authentication → Backup Verification Codes → Generate
Zoho will generate a set of 10 backup codes. Each code is a unique alphanumeric string that can be used exactly once. After a code is used, it is permanently invalidated. When all 10 codes are used, you must generate a new set before they are all exhausted.
From the Zoho OneAuth App
Open the Zoho OneAuth app. Navigate to:
OneAuth App → Menu (top right) → Backup Codes → Generate / View
The same backup codes are accessible from the app for reference.
How to Store Backup Codes Safely
Recommended Storage Methods
- Encrypted password manager (1Password, Bitwarden, LastPass)
- Printed copy stored in a secure physical location (safe, drawer)
- Screenshot stored in a secure folder on a separate device
- Written in a physical notebook kept at home or office
Never Store Backup Codes Here
- On the same phone where OneAuth is installed
- In email (if your email is compromised, codes are too)
- In Zoho Notes or any Zoho product (locked out = no access)
- In an unencrypted plain text file on your computer
How to Use a Backup Code
When you cannot access your OneAuth app and need to sign in:
Using a Backup Code at Login
On the Zoho MFA login screen (after entering email and password), look for a link that says “Can’t access OneAuth?” or “Use a different method”. Click it and select Backup Verification Code. Enter one of your saved backup codes. The code will work for a single login only. After entry, immediately access your Security settings and regenerate backup codes to replace the one you just used.
Critical rule: After using any backup code, immediately generate a fresh set of codes from Zoho Accounts Security settings. Depleting your backup codes without regenerating them leaves you with no emergency access method.
6. Zoho OneAuth for Mac — Complete Desktop Setup
Zoho OneAuth for Mac is the desktop version of the authentication app designed for macOS users who prefer to approve Zoho logins directly from their computer without picking up their phone. This is particularly valuable for Mac users who work entirely from their desktop or MacBook and find the phone-based push notification flow disruptive to their workflow.
Installing Zoho OneAuth on Mac
Method 1 — Download from Zoho Accounts
Navigate to:
accounts.zoho.com → Security → Multi-Factor Authentication → Download OneAuth Desktop
Click Download for Mac. A .dmg file downloads. Open the .dmg, drag Zoho OneAuth to your Applications folder, and open the app from Applications. Sign in with your Zoho account credentials when prompted.
Method 2 — Mac App Store
Open the Mac App Store on your Mac. Search for Zoho OneAuth. Click Get to download and install. After installation, open the app from your Applications folder or Launchpad. Sign in with your Zoho account. The Mac App Store version updates automatically through the App Store.
Linking the Mac App to Your Zoho Account
Registering the Mac as an Authentication Device
After opening the Zoho OneAuth Mac app and signing in, navigate to:
Zoho Accounts → Security → Multi-Factor Authentication → Manage Devices → Register Device
A QR code will appear on screen. In the Mac OneAuth app, click Add Account and use the in-app QR scanner to scan the code. Your Mac is now registered as an authentication device. Future Zoho logins will send push notifications to the Mac OneAuth app — you can approve them directly from your menu bar without touching your phone.
Menu Bar Quick Access on Mac
After installation, Zoho OneAuth for Mac adds an icon to your Mac menu bar. Incoming authentication requests appear as notifications. Click Approve directly from the notification or menu bar dropdown — you never need to open the full app window for routine approvals. TOTP codes are also accessible from the menu bar for copy-paste into login forms.
7. Admin Guide — Enforce Zoho OneAuth MFA Across Your Organisation
If you manage a Zoho One organisation, Zoho CRM, or any Zoho product with multiple users, you should enforce MFA organisation-wide through the Zoho Admin Console. Enforcing MFA at the admin level means all users in your organisation must set up OneAuth before they can access any Zoho product — not just the users who choose to enable it individually.
Step 1 — Access Zoho Admin Console
Navigate to:
accounts.zoho.com/accounts/orgadmin → Security → Multi-Factor Authentication
Only the Super Admin of the organisation can enforce MFA. Standard Admin roles can view but cannot change the MFA policy. Ensure you are logged in as Super Admin before proceeding.
Step 2 — Set MFA Policy for Your Organisation
In the MFA settings, you will see three policy options: Disable MFA (not recommended), Allow users to enable MFA (optional for each user), and Enforce MFA for all users. Select Enforce MFA for all users. Set a grace period (typically 7 days) — this gives existing users time to set up OneAuth before being locked out. New users added after policy activation will be required to set up MFA during first login.
Step 3 — Configure Allowed Authentication Methods
As an admin, you can restrict which authentication methods users may use. Recommended configuration: Allow Zoho OneAuth (push and TOTP), allow backup codes, optionally allow SMS as a fallback. Consider disabling SMS as a standalone MFA method for higher-security environments — SMS codes are vulnerable to SIM-swap attacks. OneAuth push and TOTP are significantly more secure.
Step 4 — Monitor MFA Adoption Across Users
Navigate to:
Admin Console → Security → Multi-Factor Authentication → User Status
This view shows which users have enrolled in MFA, which have not yet set it up, and the method each user is using. Use this to track adoption progress and identify users who have not yet configured OneAuth before the grace period ends.
Admin reset capability: If a user is locked out of their account, the organisation Super Admin can disable MFA for that specific user from Admin Console → Users → select user → Security → Disable MFA. This allows the user to sign in and re-enroll OneAuth with their new device.
8. Trusted Devices — Manage Which Devices Skip MFA
Zoho OneAuth includes a Trusted Devices feature that allows you to mark specific browsers or computers as trusted, so you do not need to go through MFA every single time you sign in from the same device. This balances security (strangers still cannot access your account) with convenience (you do not approve a push notification every time you open a browser tab).
How Trusted Devices Work
When you log in to any Zoho product on a device and pass the MFA check, you will see a checkbox: “Don’t ask for MFA on this device for the next 30 days” or similar. Checking this box and clicking Trust registers the current browser on the current computer as trusted. For the next 30 days, Zoho logins from that specific browser will not require MFA.
Trusted device status is tied to the browser session and device fingerprint — not your network or IP address. Clearing browser cookies, switching browsers, using private/incognito mode, or accessing from a different computer will require MFA again even within the 30-day trust period.
Managing and Removing Trusted Devices
accounts.zoho.com → Security → Trusted Devices
This screen lists every device and browser currently registered as trusted. Each entry shows the device name, browser, location, and when the trust was established. If you see a device you do not recognise — or if your laptop is stolen — you can click Remove on that device to immediately revoke its trusted status. Future login attempts from that device will require full MFA again.
Security practice: Review your Trusted Devices list quarterly. Remove any devices you no longer own, any from locations you do not recognise, and any that are older than their trust period. An attacker with access to a trusted browser session does not need to pass MFA.
9. Locked Out of Zoho After OneAuth? Complete Recovery Guide
Being locked out of Zoho because you cannot access your OneAuth app is one of the most common support issues for Zoho users. Here is the complete recovery procedure for every scenario — from using backup codes to full account recovery when all methods are unavailable.
Scenario 1 — You Have Your Backup Codes
Fastest Recovery — Use a Backup Code
On the Zoho login MFA screen, click “Can’t access OneAuth?” or “Use a different method”. Select Backup Verification Code. Enter one of your saved backup codes. After login, immediately: (1) Set up OneAuth on your new device by going to Security → MFA → Add/Replace Device. (2) Generate a new set of backup codes to replace the one you just used.
Scenario 2 — You Still Have Your Phone (App Data Issue)
Phone Available — OneAuth App Problem
If your phone is available but the OneAuth app is not working correctly: (1) Check if your phone’s date and time are set to automatic — TOTP codes fail if the device clock is off by more than 30 seconds. Set Time to automatic in your phone’s Date and Time settings. (2) Re-install the OneAuth app and re-scan the QR code from Zoho Accounts Security settings. You will need a backup code to access Zoho accounts to get the new QR code if your TOTP is failing.
Scenario 3 — You Are a User in an Organisation (Admin Can Help)
Contact Your Zoho Organisation Admin
If you use Zoho as part of a company Zoho One or Zoho CRM subscription, your Super Admin can disable MFA for your account from the Admin Console. Contact your IT team or Zoho administrator. Once they disable MFA on your account, you can log in with just your password, then re-enroll OneAuth with your new phone. Your admin does not need your password or backup codes to reset your MFA — only admin access to the organisation panel.
Scenario 4 — No Backup Codes, No Admin, Lost Phone
Zoho Account Recovery Process
On the Zoho login page, after entering your email and password, click “Can’t access your account?”. Zoho will offer account recovery options: (1) Send a recovery code to your registered recovery email address. (2) Send a code to your registered mobile number. (3) Verify identity through security questions if set up. If none of these methods are available, contact Zoho Support directly. You will need to provide: your Zoho account email, your registered phone number or recovery email, proof of identity (the support team will guide you). Zoho’s account recovery process typically takes 24-48 hours for identity verification.
Prevention is the only reliable solution: Account recovery without backup codes can take 24-72 hours and is not guaranteed. The only reliable protection against lockout is: (1) generating backup codes immediately after MFA setup, and (2) storing them in at least two separate secure locations — one digital (password manager) and one physical (printed).
10. Troubleshooting — Every Common Zoho OneAuth Issue Fixed
These are the most common problems encountered during Zoho OneAuth setup and daily use, with the exact fix for each.
Push notifications from Zoho OneAuth are not being received
Fix 1 — Check notification permissions: Android: Settings → Apps → Zoho OneAuth → Notifications → Allow All. iOS: Settings → Notifications → Zoho OneAuth → Allow Notifications. Fix 2 — Battery optimisation on Android: Settings → Apps → Zoho OneAuth → Battery → set to Unrestricted. Battery optimisation kills push delivery on many Android phones (especially Samsung, Xiaomi, OnePlus). Fix 3 — Switch to TOTP temporarily while diagnosing the push issue. Open OneAuth app, enter the 6-digit TOTP code manually. This always works regardless of push notification status.
TOTP code says “Invalid” at Zoho login even though the code is correct
TOTP codes are time-synchronised — if your phone’s clock is even 60 seconds off, codes will be rejected. Fix: Android: Settings → General Management → Date and Time → Set Automatically ON. iOS: Settings → General → Date and Time → Set Automatically ON. After enabling automatic time sync, wait 30 seconds for a fresh TOTP code and try again. Also ensure you are entering the current code — not one that expired (the countdown timer shows remaining validity).
QR code scanning fails during Zoho OneAuth setup
Common causes: (1) Screen brightness is too low — increase browser window brightness or use full screen. (2) Phone camera distance — hold the phone 15-30 cm from the screen. (3) Screen glare from ambient light. (4) QR code has expired — refresh the Zoho Accounts MFA enrollment page to generate a new QR code. (5) Camera permission not granted to OneAuth — check App Permissions. If scanning continues to fail, most Zoho MFA enrollment pages have a text-based manual entry option — click “Can’t scan? Enter key manually” and type the setup key instead of scanning.
Zoho OneAuth app shows “Account not found” after reinstalling the app
Reinstalling the OneAuth app removes all stored account data — the app does not backup account configurations to the cloud automatically. You must re-add your Zoho account by scanning a new QR code. To do this: (1) Use a backup code to sign in to Zoho Accounts. (2) Go to Security → MFA → Manage Devices → Remove old device. (3) Click Enroll New Device and scan the new QR code with the freshly installed app. This is why backup codes are essential — without them, you cannot complete Step 1.
Biometric authentication stopped working in Zoho OneAuth
If fingerprint or Face ID authentication in OneAuth stops working: (1) Check if you recently updated your phone’s OS or enrolled new biometric data — this can invalidate stored biometric authorisations in apps. Re-enable biometric in OneAuth: OneAuth app → Settings → Quick Access / Biometric → Disable and re-enable. (2) Ensure biometrics are enrolled on your phone: Settings → Biometrics → verify fingerprints/face are registered. (3) If the issue persists, use TOTP or push notification as the authentication method and re-configure biometrics after an app restart.
Zoho OneAuth for Mac is not receiving push notifications from Zoho browser logins
For the Mac desktop app to receive push notifications: (1) The Mac must be signed into the same Zoho account as the browser. (2) Mac system notifications must be enabled for Zoho OneAuth: System Settings → Notifications → Zoho OneAuth → Allow Notifications ON. (3) The Mac OneAuth app must be running (check menu bar for the icon). (4) If using multiple Zoho accounts, verify the Mac app is registered under the correct account in Zoho Accounts → Security → Trusted Devices. (5) Try removing and re-registering the Mac device in Zoho Accounts Security settings.
More Zoho Security and Setup Guides from Codroid Labs:
Certified Zoho Partner — India
Need Help Setting Up Zoho Security for Your Team?
Codroid Labs configures Zoho OneAuth MFA, SPF/DKIM/DMARC email security, and admin-level security policies for Zoho One organisations across India. Free consultation — fixed price implementation.
Remote and on-site implementation across Delhi NCR, Mumbai, Bangalore, Ahmedabad, Surat, and all of India.
Frequently Asked Questions — Zoho OneAuth 2026
What is the difference between Zoho One and Zoho OneAuth?
Zoho One is Zoho’s all-in-one business software suite — 50+ integrated apps including CRM, Books, People, Mail, and Analytics at ₹1,250/employee/month. Zoho OneAuth is the free multi-factor authentication app that protects logins to all Zoho products. They are completely different products: Zoho One is a paid business software bundle; Zoho OneAuth is a free security app available to any Zoho account holder regardless of which Zoho products they subscribe to.
Is Zoho OneAuth free?
Yes. Zoho OneAuth is completely free to download and use for all Zoho account holders. There is no separate subscription fee for the authentication app itself. It is available at no cost on Android, iOS, Mac, and Windows. The only cost associated with Zoho OneAuth is the underlying Zoho account subscription (Zoho Mail, Zoho One, Zoho CRM, etc.) that you are using it to protect.
Can Zoho OneAuth be used with non-Zoho accounts?
Zoho OneAuth supports TOTP (RFC 6238 standard) for any service that provides a QR code for TOTP-based MFA — including Gmail, GitHub, Dropbox, Slack, and many others. You can add non-Zoho accounts to the OneAuth app by scanning the TOTP QR code provided by that service during their MFA setup. However, push notification approval (one-tap Approve) is exclusive to Zoho account logins — non-Zoho accounts can only use the TOTP code method in OneAuth.
What happens to Zoho OneAuth if I change my phone?
When you get a new phone, your old OneAuth app and its registered accounts do not transfer automatically. To migrate: (1) While you still have your old phone, access Zoho Accounts Security settings on a computer. (2) Install OneAuth on your new phone. (3) From Zoho Accounts, add a new device and scan the QR code with your new phone. (4) Once verified on the new phone, remove the old phone from Managed Devices in Zoho Accounts Security. If you have already lost your old phone, use a backup code to sign in and complete the re-enrollment process on the new phone.
Does Zoho OneAuth support passwordless login?
Yes. Zoho OneAuth supports passwordless login for Zoho accounts. On the Zoho login page, instead of entering your password, click “Sign in with OneAuth” or the passwordless option. Zoho sends a push notification to your registered OneAuth device. You approve it with a tap (or biometric on supported phones). You access your Zoho account without ever typing a password. Passwordless login requires your Zoho account to have OneAuth configured as the authentication app and your phone to be accessible with the app installed.
How do I disable Zoho OneAuth MFA if I no longer want it?
To disable MFA: Navigate to accounts.zoho.com → Security → Multi-Factor Authentication → Disable. You will need to verify your identity with your current MFA method or a backup code before MFA is disabled. Once disabled, Zoho logins require only your password. Note: if you are in a Zoho One organisation where the admin has enforced MFA, individual users cannot disable MFA — the admin policy takes precedence and only the Super Admin can remove the enforcement.