How to set up multi-factor authentication (MFA)

You will learn

Learn how to set up multi-factor authentication (MFA) to help make your Klaviyo account or portfolio more secure. With MFA enabled, you sign in using a username and password, then verify your identity (such as by entering a code). 

Looking for information on resetting MFA for your account? Contact the account’s Owner or Admin and ask them to reset MFA for you. If you are locked out for a non-MFA reason (or are the sole account Owner), please submit a request so that we may help you. 

What is multi-factor authentication (MFA)?

MFA is a simple security measure that adds a level of verification on top of your standard username and password. This extra step helps protect sensitive or confidential information that’s in the account, both for your employees and customers. 

Think of MFA as locking a door. A password is similar to a standard doorknob lock: better than nothing, but it won’t stop a bad actor seriously attempting to get in. 

MFA is like installing a deadbolt: it’s another step to preventing entry, more secure, and harder to get around. 

Why use MFA?

Every day, scammers and hackers. are getting more sophisticated, targeting more companies, and leaking critical user information. 

While it can seem tedious to use, you should use MFA for any online account. It’s especially important to use MFA anywhere you store your business or customer information (like in Klaviyo). 

MFA is a small step, and it makes a big difference in protecting against:

• Lost or stolen login information
• Phishing or smishing attempts
• Other security weaknesses

Plus, if you enable MFA for your account, you can remain logged in to Klaviyo for a longer period of time before re-entering your credentials.

Set up MFA

There are 2 options for MFA:

• Using an authenticator app (e.g., Okta, Google Verify, OnePassword, etc.)
• Receiving a text message, also known as SMS. 
  • Please note that SMS MFA is not available in all countries. 

An authenticator app is more secure; however, SMS MFA is typically easier and more convenient. That being said, any MFA is better than no MFA.

If you prefer to verify via a text message, jump to the section on setting up SMS MFA. 

Instructions for an authenticator app

1. Navigate to your account name in the bottom left corner.
2. Click Settings.
   
3. Head to the Security tab.
   
4. In the MFA Methods section, click Add method.
   
5. Choose Set up authenticator app.
   
6. On the next page, enter the password for your Klaviyo account.
   
7. In Klaviyo, you’ll see a Setup page with instructions and QR code (example shown below).
   
8. Download or open your authenticator app. 
9. In your app, scan or enter the code shown in Klaviyo.
   Note that the exact instructions vary by app. Please contact your authenticator app for further assistance. 
10. Check that your authenticator app is generating authenticator codes (also called one-time passwords, PINs, authorization codes, verification codes, etc.)
11. When ready, click Continue in Klaviyo. 
12. Enter the authenticator code from your app.
    
13. Click Continue. 
14. If set up correctly, you’ll continue to the next page. 
    • If not, you’ll see a “The verification code you entered is incorrect” message. 
      1. First, check if the code expired in your authenticator app. If so, copy the new code and try 1 more time. 
      2. If the code you entered is still valid or retrying the code doesn’t work, 
         1. Delete the current code/authorization in your authenticator app. 
         2. Go to step 4 to scan or enter a new QR code. 
15. On the next page, you’ll see 4 random backup codes; click either Copy codes or Download (.txt).
    
16. Store the backup codes in a secure place (like an encrypted password manager or vault); note that: 
    • These codes will not appear after you close the modal.
    • They can only be used 1 time per code.
    • You can not generate more than these 4 codes. 
      • If you run out of codes, you’ll need to reset your MFA and download a new set.
17. Click Finish. 

You can jump ahead for details on what happens once you set up MFA.

Instructions for SMS MFA

SMS MFA is not available in all countries. For a full list of countries where SMS MFA is blocked, please open the dropdown below. 

1. Navigate to your account name in the bottom left corner.
2. Click Settings.
3. Head to the Security tab.
4. In the MFA Methods section, click Add method. 
5. Choose Set up SMS notification.
   
6. On the next page, enter the password for your Klaviyo account.
   
7. Enter your phone number.
   
8. Click Send code. 
9. Wait for your phone to receive the text. 
10. Enter the code sent to your phone from Klaviyo. The sending number will be a random short code. 
    1. Wait at least 30 seconds for the code to send. 
       1. If it doesn’t, try checking that your phone has reception and, if your phone is an Android, that the message isn’t in the Spam & blocked folder. 
       2. Then, click Resend code.
          • Note that if you resend a code, it may come from a different short code than it did the first time. 
          • The code may be the same as the first time, depending on how much time has passed.
            
11. If the code matches and you don’t get an error, click Continue. 
    • If you see an error of “Re-authentication required. Please try again after entering your password,” you will automatically go back to step 6. 

What happens after you set up MFA

Going forward, you will need to provide your password and either input the code sent to your phone or generated by your authenticator app in order to log in to your Klaviyo account.

What if someone gets locked out of an account? 

If using SMS MFA or if you run out of backup codes for your authentication app, contact the Owner or Admin to reset MFA for your account. 

If you are the only Owner on your account, you can reach out to Klaviyo Support to verify your identity and reset your MFA. 

What if I use both types of MFA? 

If you set up both methods of MFA, Klaviyo defaults to the authenticator app, as it’s more secure. 

To only use SMS, first set it up and then disable the authenticator app. Continue reading for information on disabling an MFA method. 

Disable or change your MFA method 

Change your MFA method (paid accounts) 

While you can't disable MFA from paid accounts, you can choose which method to use.

Note that you can’t remove an MFA method if it’s the only method enabled in your account. If you want to switch your method, you must set up the new method before you can disable the old one.

Similarly, if you want to change the phone number you use for SMS MFA, you must temporarily set up the authenticator app so that you can disable and then re-enable SMS MFA with your new number. 

1. Navigate to your account name in the bottom left corner, then click Settings. 
2. Select Security.
3. Check that you have MFA set up through both the authenticator app and SMS. 
   • Paid accounts cannot fully disable MFA, so to change which method to use, you need both on your account. 
4. In the MFA methods section, select the 3-dot menu for the method you want to disable. 
5. Either:
   • Click Disable 
     
   • Uncheck the box for Require for your account.

     

6. In the resulting modal, either:
   • Authentication app: enter the authorization/one-time passcode or an unused backup code.
     
   • SMS: click Send code, then enter the code you receive into Klaviyo.
7. Click Disable in the modal. 

Additional resources

• How to reset MFA for a user's account
• User management and privileges
• How to transfer account ownership