SimplyEmail

Two-factor authentication

Why two-factor authentication matters

We strive to provide you with the necessary tools to keep your account secure.

We have a split responsibility model when it comes to security, we secure our application and infrastructure, and it is your responsibility to ensure the safety of your account credentials and account security. Two-factor authentication (or 2FA) is the best way to ensure security.

Without two-factor authentication, should your account password be compromised, your account could be subject to unauthorized access and could cause you to be negatively impacted:

  • credits or credit card charges as a result of emails sent from your account
  • extraction of subscriber data
  • privacy regulation implications (like GDPR)
  • brand and reputation impact from unsolicited emails that appear to come from you

By enabling two-factor authentication, your identity is verified twice using two authentication methods - a password as well as a time-based one-time password (TOTP) from your phone - which are then required in order to log in and perform key functions. These multiple layers of protection will keep your account secure.

Enabling two-factor authentication

We support multi-factor authentication in your account in two ways:

  1. Full-access users can choose to apply a security policy requiring users to set up 2FA as a condition for account access. See section Setting an account's 2FA policy for more information.
  2. Users for whom 2FA remains optional can elect to set up an authenticator for their own login.

Enable your own two-factor authentication

To enable two-factor authentication for your login:

  1. In your account, click your profile image at the top right, then select Account settings.
  2. Click the option to manage your two-factor authentication.
  3. On the next screen, click Enable two-factor authentication, then follow the on-screen instructions.

You will be prompted to install one of several authenticator apps on your phone. Note that these are only recommendations. Most authenticator apps will be sufficient, and if your organization has a standard or required application, we recommend testing that first.

Setting up an authenticator as a requirement

Setting up two-factor authentication will normally only take a couple of minutes, and may involve installing an authenticator application on your smartphone or device. In most cases it will be ok to use any authenticator you have already installed. See section Enable two-factor authentication for your login for more information.

Log out from all other devices

If you want to log out from all other devices except the current one, check the Log out from all other devices checkbox during the two-factor authentication setup.

Logging out from all other devices enhances your account's security by:

  • Terminating potential unauthorized access — Ensures that any sessions on other devices, especially those you no longer use or don't recognise, are closed.
  • Protecting against public or shared device risks — Reduces the risk of your account being accessed from public or shared devices you might have used previously.
  • Ensuring exclusive session activity — Keeps your session active only on the current device, reducing the risk of unauthorized changes or access to your data and settings.

Using two-factor authentication

Once two-factor authentication is set up in your account, you will be prompted to add the access code from your authenticator app each time you log in.

You will need to get a new code from your authenticator app with each login, as the access code rotates every 30 seconds.

To ensure full security of your account, you will be required to add your 2FA access code each time you:

  • Log in (once every 24 hours), unless you have chosen not to ask again for 30 days
  • Change your password
  • Add someone to your account
  • Remove someone from your account
  • Enable 2FA in your account
  • Disable 2FA in your account

Pinning the device

When you have two-factor authentication enabled and attempt to log in to your account, you will see an option labeled "Don't ask again on this device for 30 days" on the two-factor authentication code entry screen. This option is ticked by default. Selecting this option will remember your current browser, allowing you to bypass the two-factor authentication code entry for the next 30 days when using this browser.

Additional information:

  • Multiple browsers and devices — Pinning is specific to each browser. If you use multiple browsers or devices, you will need to pin each one separately.
  • Incognito/private browsing — If you use incognito or private browsing modes, the pinning option will not work, and you will be prompted to enter your two-factor authentication code.
  • Security recommendations — For enhanced security, only pin browsers on personal devices. Avoid pinning browsers on public or shared devices to protect your account.
Unpinning the device

If you unintentionally leave the "Don't ask again on this device for 30 days" option ticked and wish to unpin the browser before the end of the 30 days, you have a couple of options:

  1. Clear browser cookies — Clearing your browser cookies will remove the device pinning. The next time you log in, you will be prompted to enter your two-factor authentication code for the current browser.
  2. Reset your two-factor authentication (2FA) — Resetting your 2FA will unpin all previously pinned browsers. The next time you log in, you will be prompted to enter your two-factor authentication code for any browser.

Disabling two-factor authentication

To disable two-factor authentication for your login:

  1. Click your profile image at the top right, then select Account settings.
  2. Below "People in [account name]", click manage next to your name.
  3. On the next screen, click Disable two-factor authentication, then follow the on-screen instructions.
  4. Delete the relevant entry from the Authenticator app on your phone.

If two-factor authentication is required as part of a security policy it will not be possible to turn off two-factor authentication.

Lost authenticator or phone

If you've lost your phone or don't have access to Authenticator, and therefore can no longer access your account, you can remove two-factor authentication. To do so:

  1. Go to the login screen for your account, enter your username and password, then go to the next step.
  2. Click Lost your authenticator, enter your details, then click Send me an email.
  3. When you receive the email, follow the instructions to disable two-factor authentication. If you don't see the email, check your spam folder.
  4. Log into your account.
  5. Enable two-factor authentication again as soon as possible.