Two-Factor Authentication
UpdatedWhat is two-factor authentication?
Two-Factor Authentication (2FA) is an additional layer of security on your Customer.io account. By default, we require you verify your login attempt through a magic link sent to your email. You can alternatively enable 2FA through an authentication app.
Why do you need it?
If your regular password is ever compromised or stolen, 2FA ensures that only you can log into your account because only you have the magic link or authentication code. This in turn secures your messaging system, preventing bad actors from spamming your customers.
We require 2FA for all team members who use Customer.io as an identity provider (non-SSO).
Managing authentication with SSO
If you and your team members use SSO, we do not require 2FA. Rather, you must manage authentication settings with your SSO provider.
2FA via email link (default)
By default, all non-SSO accounts must verify their login attempt via email links. Alternatively, Account Admins can require 2FA via authenticator app. Check your account settings to view and manage your 2FA method.
After submitting your username and password, you will receive an email from Customer.io with a link that signs you in.
You must click this link on the same device and browser that you submitted your username and password on. You cannot start in Safari and finish in Chrome or start on your laptop and finish on your phone.
2FA via auth app
Only Account Admins can set a Customer.io account to require 2FA via auth app for all team members. Once it’s required, team members will have to set up their auth app to continue using Customer.io.
Install an authentication app
First, make sure you have a two-factor authentication app installed. We support anything that uses Time-Based One Time Passwords (TOPT). Some well known examples are:
- iOS: Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile, and 1Password
- Android: Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile, and 1Password
- Windows Phone: Microsoft Authenticator, Duo Mobile
- Desktop: 1Password, Authy (Chrome ext.)
Visit your account settings
For Account Admins
Account Admins must first enable 2FA via auth app on their own account. Go to Settings > Account Settings > Team Members then click Edit your settings.
Click Manage to start the process, and have your authentication app at the ready. The click Enable.
Make sure you download your recovery codes.
After setting up your personal account, you must then go to Settings > Account Settings > Security and click Enable Auth App to require all team members use an auth app.
Any team members actively using Customer.io who have not setup 2FA will be redirected to set it up. They will not be able to continue using Customer.io until they do.
For team members
Once an Account Admin requires 2FA via auth app, Customer.io directs team members to download their recovery codes and set up their auth app.
Download your recovery codes (and keep them safe)!
At the beginning of the process, you’ll get ten recovery codes. Download, print or copy these and don’t lose them! You’ll need them to regain account access if you ever lose access to your device. Once you’ve done this, press “Next”.
Scan the QR code, and enter your authentication code
You will then see a QR code; scan it with your app, and enter the authentication code in the input box. You can also enter this code into your app manually.
Success!
That’s it! Two-factor authentication is set up. You can find your backup codes or generate new ones from your personal account settings. Click Edit your settings followed by Manage under 2FA via auth app. Just remember to get rid of the old codes if you do generate new ones.
Frequently asked questions
Can I enable two-factor authentication for the rest of the users in my account?
2FA via email link is automatically enabled across all accounts using Customer.io as an identity provider. As an Account Admin, you can enable 2FA via auth app on your personal account and then enable it for all team members.
If you are an Account Admin, you can see which type of 2FA is enabled on your team member accounts, but it’s not currently possible to enable or disable 2FA for individual team members.
I lost my device/I’m locked out! What do I do?
No problem! We’ve got a few options to get you back in:
1. Use a recovery code
Grab your backup codes from wherever you’ve saved or printed them, and use one of those at this login screen instead of your authentication code:
Note that once you use a code, you can’t use it again.
2. Have a team member remove and re-add you
If you have other team members with Account Admin privileges, have one of them remove your account and re-add you on the Team Members page.
You’ll have to re-set a password and set up two-factor authentication again, but you’ll regain access. Team member accounts have no account data associated so it’s completely safe to be removed and re-added.
3. Contact us
If you don’t have your backup codes or other Account Admin team members, you’ll need to email our customer support team (at win@customer.io) from the email address associated with your login, and we’ll work with you to verify your account details and identity. This option may take longer, but we have this process in place to help keep your account secure from social engineering attacks.
