You must be an account or portfolio Owner or Admin to set up or disable MFA for all users in your organization. Any user can set up or disable MFA for their own user account.
SMS MFA is currently in limited availability. Stay tuned!
You will learn
Learn how to set up or disable multi-factor authentication (MFA) to help make your Klaviyo account or portfolio more secure. With MFA enabled, you sign in using a username and password, then verify your identity (such as by entering a code).
Looking for information on resetting MFA for your account? Contact the account’s Owner or Admin and ask them to reset MFA for you. If you are locked out for a non-MFA reason (or are the sole account Owner), please submit a request so that we may help you.
Table of contentsTable of contents
In this article, we discuss the following topics:
- What is MFA?
- Why use MFA?
- How to set up MFA in Klaviyo
- How to disable MFA
- How to require or disable MFA for all users
What is multi-factor authentication (MFA)?
MFA is a simple security measure that adds a level of verification on top of your standard username and password. This extra step helps protect sensitive or confidential information that’s in the account, both for your employees and customers.
Think of MFA as locking a door. A password is similar to a standard doorknob lock: better than nothing, but it won’t stop a bad actor seriously attempting to get in.
MFA is like installing a deadbolt: it’s another step to preventing entry, more secure, and harder to get around.
What’s the difference between MFA and two-factor authentication (2FA)?
MFA and 2FA are very similar. The key difference is the number of steps required to verify the user’s identity.
- 2FA has only 2 authentication steps.
- MFA has 2 or more authentication steps.
Why use MFA?
Every day, scammers and hackers. are getting more sophisticated, targeting more companies, and leaking critical user information.
While it can seem tedious to use, you should use MFA for any online account. It’s especially important to use MFA anywhere you store your business or customer information (like in Klaviyo).
MFA is a small step, and it makes a big difference in protecting against:
- Lost or stolen login information
- Phishing or smishing attempts
- Other security weaknesses
Plus, if you enable MFA for your account, you can remain logged in to Klaviyo for a longer period of time before re-entering your credentials.
Set up MFASet up MFA
SMS MFA is currently in limited availability, and the MFA setup process will look different in accounts without this feature.
There are 2 options for MFA:
- Using an authenticator app (e.g., Okta, Google Verify, OnePassword, etc.)
- Receiving a text message, also known as SMS
An authenticator app is more secure; however, SMS MFA is typically easier and more convenient. That being said, any MFA is better than no MFA.
If you prefer to get text messages, jump to the section on setting up SMS MFA.
Instructions for an authenticator appInstructions for an authenticator app
The steps vary slightly depending on if your account is in the limited availability for SMS MFA.
- Navigate to your account name in the bottom left corner.
- Click Settings.
- Head to the Security tab.
The next steps vary slightly depending on if your account is part of the limited availability for SMS MFA or not.
If in the Security tab, the section is called:
- "MFA Methods," you are part of the LA
- "Multi-factor authentication (MFA)," you are not in the LA and do not access
Please open the dropdown below that matches your experience.
Steps for section titled MFA Methods
- In the MFA Methods section, click Add method.
- Choose Set up authenticator app.
- On the next page, enter the password for your Klaviyo account.
- In Klaviyo, you’ll see a Setup page with instructions and QR code (example shown below).
- Download or open your authenticator app.
- In your app, scan or enter the code shown in Klaviyo.
Note that the exact instructions vary by app. Please contact your authenticator app for further assistance. - Check that your authenticator app is generating authenticator codes (also called one-time passwords, PINs, authorization codes, verification codes, etc.)
- When ready, click Continue in Klaviyo.
- Enter the authenticator code from your app.
- Click Continue.
- If set up correctly, you’ll continue to the next page.
- If not, you’ll see a ��“The verification code you entered is incorrect” message.
- First, check if the code expired in your authenticator app. If so, copy the new code and try 1 more time.
- If the code you entered is still valid or retrying the code doesn’t work,
- Delete the current code/authorization in your authenticator app.
- Go to step 4 to scan or enter a new QR code.
- If not, you’ll see a ��“The verification code you entered is incorrect” message.
- On the next page, you’ll see 4 random backup codes; click either Copy codes or Download (.txt).
- Store the backup codes in a secure place (like an encrypted password manager or vault); note that:
- These codes will not appear after you close the modal.
- They can only be used 1 time per code.
- You can not generate more than these 4 codes.
- If you run out of codes, you’ll need to reset your MFA and download a new set.
- Click Finish.
Steps for section titled "Multi-factor authentication (MFA)"
- Check either:
- Require for your account.
-
Require for all users in your organization (note that you must be the account Owner or Admin for this option to appear).
- Click Enable in the modal that pops up.
- Download an authenticator app on your mobile device (e.g., Okta verify or Authy).
- Open the app and scan the QR code displayed in your account.
- Type the 6-digit code into the text input in Klaviyo.
- Click Submit.
- Important: save the 5 backup authentication codes somewhere safe (like an encrypted password manager or vault); note that:
- These codes will not appear after you close the modal.
- They can only be used 1 time per code.
- You can not generate more than these 5 codes.
- If you run out of codes, you’ll need to reset your MFA and download a new set.
- If you run out of codes, you’ll need to reset your MFA and download a new set.
You can jump ahead for details on what happens once you set up MFA.
Instructions for SMS MFAInstructions for SMS MFA
- Navigate to your account name in the bottom left corner.
- Click Settings.
- Head to the Security tab.
- In the MFA Methods section, click Add method.
- Choose Set up SMS notification.
- On the next page, enter the password for your Klaviyo account.
- Enter your phone number
- Click Send code.
- Wait for your phone to receive the text.
- Enter the code sent to your phone from Klaviyo. The sending number will be a random short code.
- Wait at least 30 seconds for the code to send.
- If it doesn’t, try checking that your phone has reception and, if your phone is an Android, that the message isn’t in the Spam & blocked folder.
- Then, click Resend code.
- Note that if you resend a code, it may come from a different short code than it did the first time.
- The code may be the same as the first time, depending on how much time has passed.
- Wait at least 30 seconds for the code to send.
- If the code matches and you don’t get an error, click Continue.
- If you see an error of “Re-authentication required. Please try again after entering your password,” you will automatically go back to step 6.
What happens after you set up MFA
Going forward, you will need to provide your password and either input the code sent to your phone or generated by your authenticator app in order to log in to your Klaviyo account.
What if someone gets locked out of an account?
If using SMS MFA or if you run out of backup codes for your authentication app, contact the Owner or Admin to reset MFA for your account.
If you are the only Owner on your account, you can reach out to Klaviyo Support to verify your identity and reset your MFA.
What if I use both types of MFA?
If you set up both methods of MFA, Klaviyo defaults to the authenticator app, as it’s more secure.
To only use SMS, first set it up and then disable the authenticator app. Continue reading for information on disabling an MFA method.
Disable MFA or MFA methodDisable MFA or MFA method
Fully disabling MFA (i.e., removing every MFA method) is not recommended. The only exception is if you have another security measure, such as SSO, that takes precedence.
Disable a MFA method for your own account
If MFA is enforced for all users in your account, you cannot fully remove MFA. However, when you set up MFA via both SMS and an authentication app, you can choose to disable one of these methods. You can’t remove an MFA method if it’s the only method enabled in your account.
To remove an MFA method:
- Navigate to your account name in the bottom left corner, then click Settings.
- Select Security.
- In the MFA methods section, select the 3-dot menu for the method you want to disable.
- Either:
- Click Disable (if you are part of the LA for SMS MFA)
- Uncheck the box for Require for your account.
- Click Disable (if you are part of the LA for SMS MFA)
- In the resulting modal, either:
- Authentication app: enter the authorization/one-time passcode or an unused backup code.
- SMS: click Send code, then enter the code you receive into Klaviyo.
- Authentication app: enter the authorization/one-time passcode or an unused backup code.
- Click Disable in the modal.
Require or disable MFA for all users
Only an Owner or Admin can enable or remove MFA for all accounts.
To require or disable MFA for all users:
- Select your account name in the bottom left corner.
- Click Settings from the dropdown.
- Head to the Security tab.
- In the MFA methods section, toggle or check the Require for all users in your organization button on or off.
