Two-Factor Authentication

Updated

What is two-factor authentication?

Two-Factor Authentication (2FA) is an additional layer of security on your Customer.io account. By default, we require you verify your login attempt through a magic link sent to your email. You can alternatively enable 2FA through an authentication app.

Why do you need it?

If your regular password is ever compromised or stolen, 2FA ensures that only you can log into your account because only you have the magic link or authentication code. This in turn secures your messaging system, preventing bad actors from spamming your customers.

We require 2FA for all team members who use Customer.io as an identity provider (non-SSO).

 Managing authentication with SSO

If you and your team members use SSO, we do not require 2FA. Rather, you must manage authentication settings with your SSO provider.

By default, all non-SSO accounts must verify their login attempt via email links. Alternatively, Account Admins can require 2FA via authenticator app. Check your account settings to view and manage your 2FA method.

After submitting your username and password, you will receive an email from Customer.io with a link that signs you in.

 You must click this link on the same device and browser that you submitted your username and password on. You cannot start in Safari and finish in Chrome or start on your laptop and finish on your phone.

2FA via auth app

Only Account Admins can set a Customer.io account to require 2FA via auth app for all team members. Once it’s required, team members will have to set up their auth app to continue using Customer.io.

Install an authentication app

First, make sure you have a two-factor authentication app installed. We support anything that uses Time-Based One Time Passwords (TOPT). Some well known examples are:

Visit your account settings

For Account Admins

Account Admins must first enable 2FA via auth app on their own account. Go to Settings > Account Settings > Team Members then click Edit your settings.

At the bottom of your account settings as an Account Admin, you see the option to manage 2fa via auth app when 2fa via email link is enabled.
At the bottom of your account settings as an Account Admin, you see the option to manage 2fa via auth app when 2fa via email link is enabled.

Click Manage to start the process, and have your authentication app at the ready. The click Enable.

Two-factor Authentication disabled
Two-factor Authentication disabled

Make sure you download your recovery codes.

After setting up your personal account, you must then go to Settings > Account Settings > Security and click Enable Auth App to require all team members use an auth app.

On the Security page, the first item reads: enable two-factor authentication (2FA) via an authenticator app. To the right is a button to enable this. It is disabled until an Account Admin starts to use it on their own account.
On the Security page, the first item reads: enable two-factor authentication (2FA) via an authenticator app. To the right is a button to enable this. It is disabled until an Account Admin starts to use it on their own account.

 Any team members actively using Customer.io who have not setup 2FA will be redirected to set it up. They will not be able to continue using Customer.io until they do.

For team members

Once an Account Admin requires 2FA via auth app, Customer.io directs team members to download their recovery codes and set up their auth app.

Download your recovery codes (and keep them safe)!

At the beginning of the process, you’ll get ten recovery codes. Download, print or copy these and don’t lose them! You’ll need them to regain account access if you ever lose access to your device. Once you’ve done this, press “Next”.

Recovery codes appear when a team member logs in for the first time after an Account Admin required 2fa via auth app.
Recovery codes appear when a team member logs in for the first time after an Account Admin required 2fa via auth app.

Scan the QR code, and enter your authentication code

You will then see a QR code; scan it with your app, and enter the authentication code in the input box. You can also enter this code into your app manually.

Success!

That’s it! Two-factor authentication is set up. You can find your backup codes or generate new ones from your personal account settings. Click Edit your settings followed by Manage under 2FA via auth app. Just remember to get rid of the old codes if you do generate new ones.

Two factor enabled
Two factor enabled

Frequently asked questions

Can I enable two-factor authentication for the rest of the users in my account?

2FA via email link is automatically enabled across all accounts using Customer.io as an identity provider. As an Account Admin, you can enable 2FA via auth app on your personal account and then enable it for all team members.

If you are an Account Admin, you can see which type of 2FA is enabled on your team member accounts, but it’s not currently possible to enable or disable 2FA for individual team members.

I lost my device/I’m locked out! What do I do?

No problem! We’ve got a few options to get you back in:

1. Use a recovery code

Grab your backup codes from wherever you’ve saved or printed them, and use one of those at this login screen instead of your authentication code:

Two-Factor Authentication code
Two-Factor Authentication code

Note that once you use a code, you can’t use it again.

2. Have a team member remove and re-add you

If you have other team members with Account Admin privileges, have one of them remove your account and re-add you on the Team Members page.

You’ll have to re-set a password and set up two-factor authentication again, but you’ll regain access. Team member accounts have no account data associated so it’s completely safe to be removed and re-added.

3. Contact us

If you don’t have your backup codes or other Account Admin team members, you’ll need to email our customer support team (at win@customer.io) from the email address associated with your login, and we’ll work with you to verify your account details and identity. This option may take longer, but we have this process in place to help keep your account secure from social engineering attacks.

Copied to clipboard!
  Contents
Is this page helpful?