Multi-factor Authentication (MFA) is a privacy setting that allows you to verify user identity for controlling who can safely access your Tealium account. 

In this article:

Table of Contents Placeholder

Requirements

  • Smartphone
    iOS, Android, and Windows are supported.
  • Authenticator App
    MFA works in conjunction with third-party applications like Google Authenticator and Windows Authenticator to add a layer of protection over and above your password. These applications will generate single-use, 6-digit security tokens on your smartphone specifically for your account. Ensure that you install an authenticator application that is compatible with your smartphone platform.
  • Barcode Reader App
    If you have an Android device, ensure that it has a built-in app for reading QR codes as you will need it when syncing the authenticator application with your account. This does not apply to iPhones.
  • Browser Support
    MFA is supported only on iPhone, Android, and Windows smartphones. If your smartphone is not one of them, you can use the Authenticator Chrome Extension to receive tokens from the Chrome browser. For additional details, see How to use MFA without a smartphone

How It Works

MFA is required during the login process when it has been enabled in your primary account and/or any other account that you are assigned to. MFA works in conjunction with an authenticator application to verify login requests in two steps.

When signing in to an MFA-enabled account, you are asked to provide the following:

  • Login credentials
    The username and password of your account
  • Security Code
    A 6-digit token that is generated by the authenticator app on your smartphone

Enabling or Disabling MFA for Your Account

Enabling or disabling MFA requires the Manage Accounts permissions. Only an Account Admin has the permissions required to toggle this setting.

Enabling MFA

Use the following steps to enable MFA for your account:

  1. Go to https://my.tealiumiq.com/.
  2. Click on your name/email address Account Admin menu in the top-right corner to display the drop-down list and select Manage Password Policy.
  3. Click Enable MFA for this Account.
    TiQ_Manage Password Policy_Dialog.jpg
  4. From the confirmation screen, click Enable Multi-Factor Authentication.
    The status changes to Enabled.
    TiQ_Confirm Enable MFA.jpg
  5. Click Update Password Settings and Logout to confirm.
    After logout, you will automatically be logged back in.
  6. Log into TiQ and follow the instructions to sync it up with the authenticator app.

Disabling MFA

Use the following steps to disable MFA for your account:

  1. Go to https://my.tealiumiq.com/.
  2. Click on your name/email address Account Admin menu in the top-right corner to display the drop-down list and select Manage Password Policy.
  3. Click Disable MFA for this Account.
  4. From the confirmation screen, click Disable Multi-Factor Authentication.
    The status changes to Not Enabled.
  5. Confirm your changes by clicking Update Password Settings.

Installing an Authenticator Application

Tealium MFA only accepts tokens from Google and Windows Authenticator applications. Click one of the following links for detailed information about how to install the authenticator application on your device:

Setting up Your Authenticator Application

In order for the app to start generating tokens, it has to be linked to your MFA-enabled account. Typically, you need to do this only once (except when your token is reset or you have a new device).

Use the following steps to set up our Authenticator applicaiton:

  1. Go to your MFA-enabled account and log in with the correct username and password.
    The Setup screen displays.
  2. Select your smartphone platform and then click Next.

    MFA does not support Blackberry devices. Contact your primary account holder or a Tealium account manager for assistance.

    A barcode displays.
  3. Scan the barcode using a generic barcode reader app on your smartphone.
    This step will vary depending on your smartphone platform.
    • Android: Tap Set an Account > Scan account barcode.
    • iPhone: Tap the plus icon (+) and scan the barcode.
  4. Your app will generate the first token.
  5. Enter the token in the text box next to Code and then click Verify and Save.
    A success message displays when complete.
    Scan Barcode Sample_Do Not Use.jpg

Signing into an MFA-enabled Account

Prior to signing in, the authenticator app should already be installed and synced with your account. Use the following steps to sign in to your MFA-enabled account:

  1. Go to https://my.tealiumiq.com/.
  2. Enter your username and password.
  3. Open your authenticator app to receive the token.
  4. Cut and paste or type to enter your token in the MFA TOKEN field.
    If the token is incorrect or expired, the authentication will fail and you will be denied access.
    • (Optional). If you want Tealium to remember your token for 8 hours, check the This is not a public computer checkbox. As long as you do not clear your browser history, the token is preserved for 8 hours. After the 8-hour period, you will need need reenter the token.
  5. If your token is correct and you are still unable to sign in, read the Troubleshooting tips or contact your account administrator. 

Resetting MFA Tokens

If you recently switched to a new device or a new authenticator app, your existing token must be reset. This will allow the authenticator app on your new device to generate fresh tokens. Resetting tokens will not disable the MFA setting itself. 

You can now reset your own MFA token for your primary account. Previously, only users with permission to Manage Accounts of your primary account were allowed to reset MFA tokens.

(Admins) Reset a User's MFA

  1. From the Account Admin drop-down list, click Manage Users.
  2. In the User Manager window, click the checkbox to select the user for whom the token is being reset.
  3. Click Edit/View User Settings.
  4. In left panel, click MFA Settings and then click Reset MFA Code.
    reset_mfa_token.png
  5. Close the window.

Next, notify the user to log in to their account to re-sync the app.

Reset Your Own MFA 

  1. From the user admin menu, click Edit/View User Settings.
  2. In left panel, click MFA Settings and then click Reset MFA Code.
  3. Close the window.
  4. From the user admin menu, click Logout.

Next, log back in and set up the new MFA token.

Get an MFA without a Smartphone

This section describes how to use Multi-Factor Authentication (MFA) without a smartphone when logging into Tealium.

Install the Authenticator Chrome Extension

Use the following steps to install and configure the Authenticator Chrome extension:

  1. Navigate to the Chrome Web Store and add the Authenticator Chrome Extension.
    Add Authenticator Chrome Extension.jpg
  2. When complete, move to the next section.

Log in to TiQ and Configure the Authenticator

Use the following steps to log in to TiQ and configure your Authenticator:

  1. Log into Tealium iQ Tag Management.
    The MFA setup screen displays.
    Google Authenticator Setup_Android.jpg
  2. Select Android and then click Next.

    Android is the option that is compatible with the Authenticator Chrome extension.

  3. The QR Code screen displays.
    Google Authenticator Setup_Scan QR Code.jpg
  4. Click the Authenticator icon to launch the Authenticator extension and click the pencil to add a new QR code.
    Launch Authenticator.jpg
  5. Click the + button to scan a new code.
    Launch Authenticator and Add New.jpg
  6. Click Scan QR Code.
  7. Go back to the login screen and click and drag using your mouse to draw a square over the QR Code in the page.
  8. Once completed, go back to Authenticator.
    A new entry for Tealium displays.
  9. From the TiQ login screen, enter your email and password and click Continue.
    The MFA code screen displays.
  10. Enter the 6-digit code from Authenticator in the MFA code field and click Login.
    Enter MFA Code to Log In.jpg
    That's it! You are now ready to log into Tealium using MFA without a smartphone.
  11. The next time the Tealium login screen prompts you for your MFA code, return to Authenticator to retrieve a newly generated code.

Get an MFA Code without Accessing the Authenticator

If you cannot access your authenticator, use the following steps to receive a temporary MFA code by email:

  1. Log into Tealium iQ Tag Management.
  2. From the TiQ login screen, enter your email and password and click Continue.
    The MFA code screen displays.
  3. Click Click Here to receive a temporary one.
    A message displays that a temporary MFA has been sent to your email.
    Enter MFA Code to Log In.jpg
  4. Go to your email and open the new email from support titled Tealium Temporary MFA Code.
    Temporary MFA Code Email.jpg
  5. Get the recovery code and return to the login page.
  6. Enter the code and click Login.
    Once you are logged in, Tealium recommends that you go to your account and click Edit/View User Settings > MFA Settings and reset your MFA password. 

Frequently Asked Questions (FAQ)

Account and Users

How do I find my primary account?

IInformation about your primary account can be found in the User Preferences settings.

  1. In Tealium iQ, click your name/email in the top right corner to display the Account Admin drop-down menu.
  2. Under User Preferences, click Edit/View user Settings.
  3. Your primary account is displayed in the right panel.
    Display Primary Account Name.jpg

Who can enable/disable MFA in my account?

Only an Account Admin is permitted to manage the setting. Though you cannot enable or disable MFA, any user can reset their MFA.

MFA was auto-enabled in my account on Feb 16, 2016? Can I disable it now?

Yes, but it is not recommended. Disabling MFA will remove the extra layer of protection that keeps your implementation safe from unauthorized users.

Besides Tealium iQ, which other Tealium products support MFA?

Tealium supports MFA for AudienceStream, EventStream, DataAccess, Web Companion, and Tealium Tools.

My account has multiple profiles. Does MFA apply to all of them?

Yes. MFA will apply to all profiles within your account.

I was assigned to an MFA-enabled account that is not my primary account. Will I need a token to access it?

Yes. You are subject to MFA when signing into or switching to any MFA-enabled account — regardless of whether or not it is your primary account. 

Authenticator App and Security Tokens

Tealium only supports tokens from Google and Windows Authenticator Applications on iOS, Android, and Windows phones.

How often do I have to enter my token? 

You must enter your token every time you sign in or switch to an MFA-enabled account or anytime after clearing the cookies/cache from your browser history.

How often should I set up the app to my account?

Ideally, you should only set up the application once after enabling MFA. If at any point your token was reset or you signed in from a new device, you will have to set up the application again.

Does Tealium support MFA on Blackberry?

No. At this time, only iOS, Android, and Windows operating systems are supported. You can optionally use the Authenticator Chrome extension to receive tokens from the browser.

For more information, see How to use MFA without a smartphone.

Troubleshooting Tips

I am unable to scan the barcode when setting up the authenticator application

It is possible that your smartphone does not have a built-in barcode reader app, particularly if it is an Android device. If that's the case, then download and install a generic barcode reader app.

Ensure that the app you use is designed to scan generic barcodes only – not the mail barcodes you typically see on shipping labels.

Invalid 6-digit verification code when setting up the authenticator application

If you encounter this error, the easiest thing to do is to start over. Go back to the login page, sign in with your username and password, and then proceed with the application setup steps.

Invalid MFA Token.jpg

My authenticator application has multiple entries of my synced accounts

This happens when the same barcode is scanned multiple times and does not introduce any problems. To correct, simply delete the unwanted entries and proceed to re-sync the app with your account.

duplicate entries.png

The token expired before I could enter it

Don’t worry if your token expired before you used it. You can use the next one since most apps generate fresh tokens every few seconds. How long each token lasts will depend on the app you are using.

I've tried everything and still can't sync my authenticator app 

In rare cases, there could be a timing issue on your smartphone, causing the sync to fail. Try this:

  1. Go to your smartphone's time settings, turn off the automatic time settings, and exit the settings.
  2. Reopen the settings and set the time back to automatic.
  3. Follow the steps to re-sync the app with your account.