# Two-Factor Authentication ## What is two-factor authentication?[](#what-is-two-factor-authentication) Two-Factor Authentication (2FA) is an additional layer of security on your Customer.io account. By default, we require you verify your login attempt through a magic link sent to your email. You can alternatively enable 2FA through an authentication app. ## Why do you need it?[](#why-do-you-need-it) If your regular password is ever compromised or stolen, 2FA ensures that only you can log into your account because only you have the magic link or authentication code. This in turn secures your messaging system, preventing bad actors from spamming your customers. We require 2FA for all team members who use Customer.io as an identity provider (non-SSO).  Managing authentication with SSO If you and your team members use SSO, we do not require 2FA. Rather, you must manage authentication settings with your SSO provider. ## 2FA via email link (default)[](#2fa-via-email-links) By default, all non-SSO accounts must verify their login attempt via email links. Alternatively, Account Admins can require [2FA via authenticator app](/journeys/two-factor-auth/#how-to-set-up-2fa-through-an-auth-app). Check [your account settings](https://fly.customer.io/settings/personal) to view and manage your 2FA method. After submitting your username and password, you will receive an email from Customer.io with a link that signs you in.  You must **click this link on the same device and browser** that you submitted your username and password on. You cannot start in Safari and finish in Chrome or start on your laptop and finish on your phone. ## 2FA via auth app[](#how-to-set-up-2fa-through-an-auth-app) Only Account Admins can set a Customer.io account to [require 2FA via auth app for all team members](/journeys/two-factor-auth/#visit-your-account-settings). Once it’s required, team members will have to set up their auth app to continue using Customer.io. ### Install an authentication app[](#install-an-authentication-app) First, make sure you have a two-factor authentication app installed. We support anything that uses Time-Based One Time Passwords (TOPT). Some well known examples are: * iOS: [Google Authenticator](https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8), [Microsoft Authenticator](https://itunes.apple.com/us/app/microsoft-authenticator/id983156458?mt=8), [Authy](https://itunes.apple.com/us/app/authy/id494168017?mt=8), [Duo Mobile](https://guide.duo.com/), and [1Password](https://support.1password.com/guides/ios/) * Android: [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en), [Microsoft Authenticator](https://play.google.com/store/apps/details?id=com.azure.authenticator&hl=en), [Authy](https://play.google.com/store/apps/details?id=com.authy.authy&hl=en), [Duo Mobile](https://guide.duo.com/), and [1Password](https://support.1password.com/getting-started-android/) * Windows Phone: [Microsoft Authenticator](https://www.microsoft.com/en-us/store/p/authenticator/9wzdncrfj3rj), [Duo Mobile](https://guide.duo.com/) * Desktop: [1Password](https://1password.com/), [Authy (Chrome ext.)](https://chrome.google.com/webstore/detail/authy/gaedmjdfmmahhbjefcbgaolhhanlaolb) ### Visit your account settings[](#visit-your-account-settings) **For Account Admins** Account Admins must first enable 2FA via auth app on their own account. Go to [Settings > Account Settings > Team Members](https://fly.customer.io/settings/personal) then click **Edit your settings**. [![At the bottom of your account settings as an Account Admin, you see the option to manage 2fa via auth app when 2fa via email link is enabled.](https://docs.customer.io/images/two-factor-person-account-settings.png)](#9350c35c2e40dda8bc44752befa6ddb3-lightbox) Click **Manage** to start the process, and have your authentication app at the ready. The click **Enable**. [![Two-factor Authentication disabled](https://docs.customer.io/images/two_factor_disabled.png)](#3d849e1801f0a410f334b6dd00f390aa-lightbox) Make sure you [download your recovery codes](/journeys/two-factor-auth/#download-your-recovery-codes-and-keep-them-safe). After setting up your personal account, you must then go to [Settings > Account Settings > Security](https://fly.customer.io/settings/security) and click **Enable Auth App** to require all team members use an auth app. [![On the Security page, the first item reads: enable two-factor authentication (2FA) via an authenticator app. To the right is a button to enable this. It is disabled until an Account Admin starts to use it on their own account.](https://docs.customer.io/images/two-factor-auth-app-setting.png)](#0ae0338ad3cd100086da83b44f2c5faf-lightbox)  Any team members actively using Customer.io who have not setup 2FA will be redirected to set it up. They will not be able to continue using Customer.io until they do. **For team members** Once an Account Admin requires 2FA via auth app, Customer.io directs team members to download their recovery codes and set up their auth app. ### Download your recovery codes (and keep them safe)![](#download-your-recovery-codes-and-keep-them-safe) At the beginning of the process, you’ll get ten recovery codes. Download, print or copy these and **don’t lose them**! You’ll need them to regain account access if you ever lose access to your device. Once you’ve done this, press *“Next”*. [![Recovery codes appear when a team member logs in for the first time after an Account Admin required 2fa via auth app.](https://docs.customer.io/images/require-2fa-team-view-blurred.png)](#03404cbc81619649beafa475f3bc56c4-lightbox) ### Scan the QR code, and enter your authentication code[](#scan-the-qr-code-and-enter-your-authentication-code) You will then see a QR code; scan it with your app, and enter the authentication code in the input box. You can also enter this code into your app manually. ### Success![](#success) That’s it! Two-factor authentication is set up. You can find [your backup codes or generate new ones](https://fly.customer.io/settings/personal/security) from [your personal account settings](https://fly.customer.io/settings/personal). Click **Edit your settings** followed by **Manage** under 2FA via auth app. Just remember to get rid of the old codes if you do generate new ones. [![Two factor enabled](https://docs.customer.io/images/two_factor_enabled.png)](#34b3f3ecd0667785fb734a43ab980942-lightbox) ## Frequently asked questions[](#frequently-asked-questions) ### Can I enable two-factor authentication for the rest of the users in my account?[](#can-i-enable-two-factor-authentication-for-the-rest-of-the-users-in-my-account) 2FA via email link is automatically enabled across all accounts using Customer.io as an identity provider. As an Account Admin, you can enable 2FA via auth app on your personal account and then enable it for all team members. If you are an Account Admin, you can see which type of 2FA is enabled on your team member accounts, but it’s not currently possible to enable or disable 2FA for individual team members. ### I lost my device/I’m locked out! What do I do?[](#i-lost-my-deviceim-locked-out-what-do-i-do) No problem! We’ve got a few options to get you back in: **1\. Use a recovery code** Grab your backup codes from wherever you’ve saved or printed them, and use one of those at this login screen instead of your authentication code: [![Two-Factor Authentication code](https://docs.customer.io/images/two-factor-authentication-code.png)](#bc4f6aa278d82597dc05fb0de3ae94e2-lightbox) Note that once you use a code, you *can’t* use it again. **2\. Have a team member remove and re-add you** If you have other team members with Account Admin privileges, have one of them remove your account and re-add you on the [Team Members](https://fly.customer.io/settings/team) page. You’ll have to re-set a password and set up two-factor authentication again, but you’ll regain access. Team member accounts have no account data associated so it’s completely safe to be removed and re-added. **3\. Contact us** If you don’t have your backup codes or other Account Admin team members, you’ll need to email our customer support team (at [win@customer.io](mailto:win@customer.io)) from the email address associated with your login, and we’ll work with you to verify your account details and identity. This option may take longer, but we have this process in place to help keep your account secure from social engineering attacks.