Join the Ready, Set, Send Challenge Week 3. Share your QR code or landing page and win a badge!

Ability to un-enroll from MFA

I couldn't even reply to this without jumping through your 'hoop'. I don't care your reasoning. I think we should have the option of opting out. I now have to figure out how this will work with our elderly people who don't have cell phones. Ridiculous! Did your insurance company demand you do this?

 

 

Top Answer
Kyle_R
Employee

Hello,

As part of our new and updated feedback statuses, we wanted to update this idea to Acknowledged. There is a lot of feedback within this one thread in particular, some of which was implemented, a few things planned to be improved, and a few that most likely won’t be planned for in the near future.

First, some additional background information and more information as to the “why” of this change. From some of the comments, it feels like that question hasn’t been answered sufficiently. What’s so important and secure about email newsletters anyway? This had to do with a rise in attempted account takeovers the last several years. That is, a bad actor has somehow gained access to some account credentials and attempts to get into your account to send a spam or phishing email to your customers - potentially looking like it is from you. To be clear, this wasn’t due to any sort of Constant Contact breach, but potentially re-using credentials for your account that were no longer secure. Spam is a lucrative industry, and your Constant Contact account can be a valuable target because given our sending reputation, bad actors gaining access to Constant Contact have a better chance of hitting the inbox and getting their malicious messages read. Especially if it comes targeted to your list, looking like it is from your organization. So adding additional security measures protects your business, your subscribers, and it protects our service to ensure only legitimate permission based mail is being sent out. In this sense, the addition of MFA has been a big success to stop these kinds of attempts.

Now to address some of the feedback. Admittedly, this was quite a big change in a small amount of time. Some organizations shared one set of account credentials for all users of the account, so the need to change behavior to add additional individual users was new and taxing. It's worth noting that if you add more users to your account they can have their own MFA device for authentication. The MFA process also needs some time to learn your device and what a “normal” login looks like for your organization. So, when it’s initially turned on you do get prompted more than you would under normal circumstances. If you still find yourself getting prompted for your MFA method on every login and you normally log in on the same device/network every time, that is not working as intended. Make sure you are not using an Incognito window every time, or please contact our support team to work out what the problem may be.

We have made changes to our MFA roll-out plan due in part to the feedback we received. We are working on the ability for self-recovery of MFA tokens, so if you lose your old device or need to update your MFA device you can do so without contacting our support team. All feedback received is actively reviewed and considered. We will continue to assess this feedback and make changes accordingly, which we will communicate to this thread.


177 Comments
KirkM1
Rookie

There are a few problems with this policy for our business:

 

1) I travel a lot for work. I was told I wouldn't have to verify if using the same device/browser to access CC. Turns out, that's not true. I have to authenticate EVERY time I log in on a different wifi network. If I'm on a plane and I log in on my computer on an airplane, I now have to purchase wifi on the flight for my phone so I can authenticate constant contact on my computer that I've already used to access CC. What the hell is this?

 

2) Every time another employee logs on, I have to approve it from my cell phone. What if I'm flying? What if I'm giving a presentation? This is stupidly inconvenient. 

 

At the end of the day, making it mandatory is ridiculous. Stop with the "industry standard" bull**bleep**. My bank doesn't require MFA and I'm pretty sure that's more risky than an email list. Please allow an opt out or we will consider opting out of Constant Contact email services after 15 years. 

PS: You could also consider listening to customer feedback on copying legacy emails. 

UtahD
Marketing Legend

MFA is causing our organization stress and problems, as well. The account owner should be able to set the phone numbers for the account users. We should have a choice to use an email address. We should have a choice to disable it for users who don't have SMS. 

MorrisMuseum
Rookie

Yes, please have an option to disable this "feature".

MAPAMaui
Rookie

Agreed. The two factor authentication is incredibly inconvenient and left us in a bind yesterday as I was out of the office and my colleagues couldn't login to send a crucial email. 

FrankM006
Campaign Contributor

The only way this works is to allow multiple users per account with variable roles and means of contact (email).
Ad Words is implementing two factor starting tomorrow. Annoying for a one man shop. But if I hire someone to work on ads I can give them access. I assume it will be their email.

 

Meanwhile, CC should hired some trained product managers that understand user personas and use cases.

MikeS713
Rookie

The MFA feature is very inconvenient. My husband and I use CC for various reasons and share 1 household account. My number is associated with the account but I'm not around when he is trying to log in, he ask me to text him the code. The MFA feature is not recognizing either of our laptops for normal log in. This feature needs to be enhanced to include an option to select 'remember this device' because it isn't happening automatically for either of us!

Hello Constant Contact

 

As you can see from the multiple complaints, this 2FA is annoying AF. We have dynamic IP which means our IP address changes constantly which means we always have to go through 2FA. Sometimes the account holder is in a meeting, sometimes out of town. This is unacceptable for this type of software. There are way less intrusive method of making your login more secure (captcha or pass phrase just to name 2). Please allow people to optout of this annoying "feature" that absolutely no-one asked for.

AdrianC66
Rookie

At least offer the ability to use email or update cell phone numbers since people actually change cell phone numbers!

USSpeedo
Rookie

I do not understand how there is still not an option for turning this off. It looks like you have at least 3 months of feedback showing several use cases where MFA is way more trouble than its worth to particular users. We are one of those use cases. If the platform actually remembered devices, it would be different. We are a small company. There are just 2 of us needing to login. Each time one of us wants to, we have to deal with MFA. Why force something on your users when it doesn't make sense for them?

BrittneyS55
Rookie
The two step verification process is extremely inconvenient. There are multiple people who use Constant Contact within out company for various reasons and every time someone needs to login we have to get this code. We are not all at the same location. I spoke with someone in customer care and they said there is no way to remove this. I am writing in to give you feedback and request this be changed within Constant Contact. This is not convenient feature for us and would prefer a security question. Thank you for your attention to this matter.
Resources
Getting Started with Ideas

Welcome to Ideas! This board is dedicated to providing a space for our intrepid users to provide personal insight and feedback on additions and enhancements they’d like to see in your Constant Contact account.

Read more
Announcements
What's New?

See the latest Constant Contact product release notes and updates.

Learn More