Join the Ready, Set, Send Challenge Week 3. Share your QR code or landing page and win a badge!

Ability to un-enroll from MFA

I couldn't even reply to this without jumping through your 'hoop'. I don't care your reasoning. I think we should have the option of opting out. I now have to figure out how this will work with our elderly people who don't have cell phones. Ridiculous! Did your insurance company demand you do this?

 

 

Top Answer
Kyle_R
Employee

Hello,

As part of our new and updated feedback statuses, we wanted to update this idea to Acknowledged. There is a lot of feedback within this one thread in particular, some of which was implemented, a few things planned to be improved, and a few that most likely won’t be planned for in the near future.

First, some additional background information and more information as to the “why” of this change. From some of the comments, it feels like that question hasn’t been answered sufficiently. What’s so important and secure about email newsletters anyway? This had to do with a rise in attempted account takeovers the last several years. That is, a bad actor has somehow gained access to some account credentials and attempts to get into your account to send a spam or phishing email to your customers - potentially looking like it is from you. To be clear, this wasn’t due to any sort of Constant Contact breach, but potentially re-using credentials for your account that were no longer secure. Spam is a lucrative industry, and your Constant Contact account can be a valuable target because given our sending reputation, bad actors gaining access to Constant Contact have a better chance of hitting the inbox and getting their malicious messages read. Especially if it comes targeted to your list, looking like it is from your organization. So adding additional security measures protects your business, your subscribers, and it protects our service to ensure only legitimate permission based mail is being sent out. In this sense, the addition of MFA has been a big success to stop these kinds of attempts.

Now to address some of the feedback. Admittedly, this was quite a big change in a small amount of time. Some organizations shared one set of account credentials for all users of the account, so the need to change behavior to add additional individual users was new and taxing. It's worth noting that if you add more users to your account they can have their own MFA device for authentication. The MFA process also needs some time to learn your device and what a “normal” login looks like for your organization. So, when it’s initially turned on you do get prompted more than you would under normal circumstances. If you still find yourself getting prompted for your MFA method on every login and you normally log in on the same device/network every time, that is not working as intended. Make sure you are not using an Incognito window every time, or please contact our support team to work out what the problem may be.

We have made changes to our MFA roll-out plan due in part to the feedback we received. We are working on the ability for self-recovery of MFA tokens, so if you lose your old device or need to update your MFA device you can do so without contacting our support team. All feedback received is actively reviewed and considered. We will continue to assess this feedback and make changes accordingly, which we will communicate to this thread.


177 Comments
JaimeM
Campaign Collaborator

While protecting information is a necessity, requiring MFA through phones without allowing users to opt-out shows little consideration for small companies. Every single option provided requires the use of a phone. Unilaterally deciding that all companies have phones available for every person (or even just every person that works in the email marketing account) is remarkably out of touch with a world that has drastically shifted to email and virtual meetings for communications. 

 

Not every person in a small company is provided with a phone – desk or mobile. We cannot require that employees use personal devices for work purposes. So now, small companies have two options. 1) waste money to provide all employees who use Constant Contact with a phone just to be able to access the site, (which is particularly difficult as many budgets were cut due to the pandemic currently raging) or 2) reduce the amount of people who have access to the account and can perform their required job duties. Neither option is appealing nor necessary. We need to be able to unenroll so that all of our staff can continuing performing their job duties. 

 

If you absolutely must require us to use MFA, then you have to provide options that do not all require the exact same capabilities. Six options that all require the same tool is one option dressed six different ways. A very simple addition – one that is used for authentication on a wide variety of sites – is to simply send an email with a verification code. 

WELC
Rookie

We would also like to disable the MFA from our account. Please keep us posted on when that can happen.

ModaHealth
Campaign Collaborator
We do not want or need the 2FA. How to turn it off?
ECSAdmin
Rookie

At least offer email as a verification option!!!

AlixaS
Rookie

We will close our account as this cell phone option is not possible for us.  No one can do their work, it is causing endless frustration.  I am sure we can find a different mailing service that treats it's clients better.  

TheSecretList
Rookie

THIS NEEDS TO BE REMOVED IMMEADIATELY FROM MY ACCOUNT - FAILURE TO DO SO WILL RESULT IN LOSS OF MY BUSINESS!

TheSecretList
Rookie

We will be closing our account over this joke 2 factor authetication.  Such crap - we have a group of users - I don't need an extra step - thanks for putting something in place that was never needed - stupid computer geeks building this **bleep** - go back to your moms basement

TanD
Rookie

MFA activated using the company cell phone..


CC claims :
"Once enabled, MFA will only be required when accessing your account from a new device that our system does not recognize. MFA will not be required each time you log in to your Constant Contact account. "

 

So I've logged into multiple uses devices so that CC system can recognize the device.
However, our devices (which have received MFA once before) still receive prompt to provide the SMS verification code every time we log-in from the same device, same browser. This is a REAL HASSLE.

 

Constant Contact - What happen?
Why still need MFA prompt every time we access our account from the same device???

We really need email as an option for the MFA. Authentication code sent via cell phone DOES NOT WORK for our organization. Thanks for considering!

KayCarbaugh
Campaign Collaborator
I need to be able to turn this off! Using multiple accounts and multiple devices, I find that when I need access to constant contact, I rarely have easy access to the code I need to get in-- it's costing me lots of time and frustration
Resources
Getting Started with Ideas

Welcome to Ideas! This board is dedicated to providing a space for our intrepid users to provide personal insight and feedback on additions and enhancements they’d like to see in your Constant Contact account.

Read more
Announcements
What's New?

See the latest Constant Contact product release notes and updates.

Learn More