Community Home
Get Help
Events & Webinars
Ideas
Groups
Resources
MyRewards
 

MFA implementation violates basic IT policy

SOLVED
Go to solution
CourtneyS00
Campaign Contributor
‎03-09-2023 06:33 PM
0 Votes
‎03-09-2023 06:33 PM

The implementation of CC's MFA makes it impossible to have two employees with global permissions on the account. This is very basic IT policy at most every organization. We ran into issues previously because of this poor implementation of allowing only one 'owner' and cannot take any chances on repeating the circumstance of an employee abruptly leaving while also being the only employee with global access to the CC account. Are there any plans to allow two 'owners' on an account? If not, this will be a CC deal breaker for us.

Labels:
1 ACCEPTED SOLUTION
William_A
Administrator
Administrator
‎03-10-2023 11:14 AM
0 Votes
‎03-10-2023 11:14 AM

Hello @CourtneyS00 ,

 

Each account is only ever allowed one account owner login with this much accessibility. Both this, and the MFA method, are done for the sake of account security - ensuring customers, especially those with large lists, don't get their accounts compromised. We do have existing feature requests on expanding the customization of users' permissions / adding more user levels, etc. - but nothing specific for allowing multiple logins with the ability to manage everything in the account.

 

While we wouldn't normally recommend it, if you're expecting to have more than one person that needs full access to everything on the account at all times (including the ability to view and edit billing info, the ability to manage and remove other users, etc.) then I'd advise the following setup:

  • Using the phone call MFA method and an office phone that any of the "owners" can easily access
  • Use an email address that any of the "owners" can easily access (something like IT@ or office@)

One thing to keep in mind is that if you're using a more generic email address that any applicable IT person in your organization could potentially access, that means you could also just have everyone but the true owner as Account Managers. Once the original owner leaves, it'd be a simple matter of the next-in-line "owner" resetting the MFA method from the login page using the generic email they already have access to. Then they could get their phone number and preferred MFA method associated with the credentials instead.

 

Again, while I wouldn't generally recommend this kind of setup for the sake of account security (you can always just go through a standard Account Ownership transfer if necessary), this is going to be the best way to setup the account for your preferred convenience, based on what you're describing.

 

See also:

Verifying addresses

Updating the account owner / main email address

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
William A
Community & Social Media Support

View solution in original post

1 REPLY 1
William_A
Administrator
Administrator
‎03-10-2023 11:14 AM
0 Votes
‎03-10-2023 11:14 AM

Hello @CourtneyS00 ,

 

Each account is only ever allowed one account owner login with this much accessibility. Both this, and the MFA method, are done for the sake of account security - ensuring customers, especially those with large lists, don't get their accounts compromised. We do have existing feature requests on expanding the customization of users' permissions / adding more user levels, etc. - but nothing specific for allowing multiple logins with the ability to manage everything in the account.

 

While we wouldn't normally recommend it, if you're expecting to have more than one person that needs full access to everything on the account at all times (including the ability to view and edit billing info, the ability to manage and remove other users, etc.) then I'd advise the following setup:

  • Using the phone call MFA method and an office phone that any of the "owners" can easily access
  • Use an email address that any of the "owners" can easily access (something like IT@ or office@)

One thing to keep in mind is that if you're using a more generic email address that any applicable IT person in your organization could potentially access, that means you could also just have everyone but the true owner as Account Managers. Once the original owner leaves, it'd be a simple matter of the next-in-line "owner" resetting the MFA method from the login page using the generic email they already have access to. Then they could get their phone number and preferred MFA method associated with the credentials instead.

 

Again, while I wouldn't generally recommend this kind of setup for the sake of account security (you can always just go through a standard Account Ownership transfer if necessary), this is going to be the best way to setup the account for your preferred convenience, based on what you're describing.

 

See also:

Verifying addresses

Updating the account owner / main email address

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
William A
Community & Social Media Support
Updates
Just Getting Started?

We’re here to help you grow. With how-to tutorials, courses, getting-started guides, videos and step-by-step instructions to start and succeed with Constant Contact.

Start Here
Upcoming Webinars
May 01
Constant Contact Community Walkthrough and Demo
2PM - 3:00 PM EST
Register now

Support Tips

  • Avatar

    Support Tips

    Social Media

    "There's a multitude of ways to engage your audience through us using your social platforms - via ads, social post metrics, email links, and more! " - Will

    See Article
  • Avatar

    Support Tips

    Call-To-Action Links

    "Target your most engaged contacts by creating a segment. Create a special offer or show your appreciation!" - Caitlin

    See Article
  • Avatar

    Support Tips

    Welcome Your Audience

    "Greet new contacts with one or more automated Welcome Emails depending on their interests or your business goals." - Nick

    See Article