We’ve recently made some major updates to account security with the release of Multi-Factor Authentication (MFA) as a requirement. With any change, there can be an adjustment period to get used to how it works. We wanted to make a post that contains answers to some common questions. We’ve received some great feedback on the changes so far, and encourage you to continue providing feedback so that we can make sure this process is as smooth as any other login process.
MFA is an extra layer of security for your account. In addition to your password, MFA requires a secondary factor to verify your identity when logging in. Basically, it’s just a second password that is randomly generated each time you login.
The majority of data breaches and phishing attacks involve stolen or weak login credentials. By using an additional means to confirm it’s really you attempting to access your account, MFA can help prevent these attacks, reduce the risk of other cyber security threats (e.g. account takeovers), and protect your personal information from hackers.
How do I set up MFA in my account, if I haven’t been part of a rollout?
Constant Contact is committed to doing what is best for our customers, and account security is a major part of that. MFA is considered an industry standard, used by many online services to keep their customers’ data secure. Given the amount of sensitive data stored within our customer’s accounts, particularly contacts’ info and billing, we’re now requiring this to keep your information as safe as possible.
Since this is meant to help curb unapproved account logins, it can be instrumental in your account's security and our ability as a company to get your emails into your contact's inboxes, instead of to their spam. The more we can assure that an email is being sent legitimately and not by spammers, the better our sending reputation is and the more you can rely on the deliverability. With that in mind, at this time there is no way to turn off this security feature.
My coworkers and I share login info. How can we get MFA available for all of us?
Sharing login credentials is never recommended. The more people / computers / networks signing in on a single login, the more at risk your information can be, especially for account owner logins which have full accessibility to the account (including billing info).
You can set up multiple users in either pricing plan level, with Email accounts able to have up to 5 active users (including the owner), and Email Plus having unlimited users. After enrolling in MFA - either manually or through a rollout – the next time a user logs in, they’ll be prompted to select the MFA method they prefer. If for some reason you're finding that your account isn't allowing the maximum number of users for its level, please call our Billing team so they can check our backend for any antiquated settings.
We understand your concerns, however MFA through a personal device is the standard, most secure, and overall most convenient option. There is of course the voice call option, if you have access to a work phone. Beyond that, if you don't have the data or text messaging available, then the Okta and Google options are encrypted, as is standard with us as well.
If you have additional concerns and questions over privacy, we encourage you to look through our Privacy Notice. If you have questions and concerns beyond what's covered in those policies, you're welcome to reach out to privacy(at)constantcontact(dot)com for additional information, feedback, and guidance.
In this regard, we’ll need to take some extra security measures to get you logged in properly. For that reason, we’d advise calling our general support so they can confirm security permissions live with you.
By nature, email tends to be less secure when compared to authenticating through a push notification or an app, so at this point email is not an option. We are always looking to safely improve our processes though, so we appreciate any feedback we can give directly to the devs.
I setup MFA, but I’m not getting push notifications / texts / calls, how do I get logged in?
Generally you should receive an MFA notification within a few seconds of logging in and clicking SEND CODE. Depending on your network, there may be short delays when receiving MFA notifications, typically no longer than a minute in extreme delays. It’s usually worth it to see if you’re having issues with accessing other apps on your device, or receiving text messages right away. If you continue to have issues, we’d advise calling our general support so they can securely assist you in accessing your account.
If you foresee yourself not having access to your mobile network fairly regularly (e.g. travelling abroad or working during flights), then we'd advise one of the MFA options available via wifi: Okta or Google Authenticator.
How do I change my MFA preference to one of the other options, or change my associated phone number?
Once you've logged into your account, you can navigate to the My Account page, and select the Reset MFA button. This will log you out and ask you to log back in once more for account security. Once you've resubmitted your username and password, you'll be prompted to select the MFA method you prefer.
If you're unable to fully login to update your MFA preference, there'll be a link at the bottom of the code-entry page where you can start setting up a new preference, via your main account's email address.
You’ll generally want to reach out to your account owner to see what info they have currently set for your phone, as that will affect the functionality of the MFA options. If your account owner has the correct phone number associated with your Account Manager / Campaign Creator login, then you’ll be able to setup MFA for your device. If you continue to have issues logging in as a user, please call our general support team for secure assistance.
Why did I receive a “Login From New Device” email?
This email is automatically sent out when you, or someone else, tries to log into your account from a device that has never accessed CTCT before. It can also be triggered if you:
Deleted your cookies or cleared your web browser's cache.
Logged in from a different web browser.
Accessed Constant Contact in an incognito or private browser window.
If you recognize the activity, no action is required. If not, we recommend you reach out to the other users on your account to confirm. Otherwise, we generally advise updating your username / password.
We hope this post can help efficiently answer some common Multi-Factor Authentication questions you may have. We’re always happy to help here in the Community if you have any general questions regarding MFA. If you’re unable to call general support, we can also submit callback tickets to the support teams on your behalf. Please email social_support(at)constantcontact(dot)com with your account username and a description of your MFA issue. Make sure that the email is coming from an address verified on the account.
We hope this article was helpful in case the issue ever arises. If you need assistance with any of the above, feel free to post our on Get Help board.