Multi-factor authentication (MFA)

Requirements

• Smartphone
  iOS, Android, and Windows are supported.
• Authenticator App
  MFA works in conjunction with third-party applications like Google Authenticator and Windows Authenticator to add a layer of protection over and above your password. These applications will generate single-use, 6-digit security token on your smartphone specifically for your account. Ensure that you install an authenticator application that is compatible with your smartphone platform.
• Barcode Reader App
  If you have an Android device, ensure that it has a built-in app for reading QR codes, as you will need it when syncing the authenticator application with your account. This does not apply to iPhones.
• Browser Support
  MFA is supported only on iPhone, Android, and Windows smartphones. If your smartphone is not one of them, you can use the Authenticator Chrome Extension to receive tokens from the Chrome browser.

How it works

MFA is required during the login process when it has been enabled in your primary account and/or any other account that you are assigned to. MFA works in conjunction with an authenticator application to verify login requests in two steps.

When signing in to an MFA-enabled account, you are asked to provide the following:

• Login credentials
  The username and password of your account
• Security Code
  A 6-digit token that is generated by the authenticator app on your smartphone

Enabling or disabling MFA for your account

Enabling or disabling MFA requires the Manage Accounts permissions. Only an Account Admin has the permissions to toggle this setting.

Enabling MFA

Use the following steps to enable MFA for your account:

1. Navigate to https://my.tealiumiq.com/.
2. In the admin menu, click Manage Password Policy.
3. Click Enable MFA for this Account.
   

   

4. From the confirmation screen, click Enable Multi-Factor Authentication.
   The status changes to Enabled.
   

   

5. Click Update Password Settings and Logout to confirm.
   After you log out, you will automatically be logged back in.
6. Log in to your account and follow the instructions to sync it up with the authenticator app.

Disabling MFA

Use the following steps to disable MFA for your account:

1. Navigate to https://my.tealiumiq.com/.
2. In the admin menu, click Manage Password Policy.
3. Click Disable MFA for this Account.
4. From the confirmation screen, click Disable Multi-Factor Authentication.
   The status changes to Not Enabled.
5. Confirm your changes by clicking Update Password Settings.

Installing an Authenticator application

Tealium MFA only accepts tokens from Google and Windows Authenticator applications. Click one of the following links for detailed information about how to install the authenticator application on your device:

• Install Google Authenticator for Android/iOS
• Microsoft Corporation: Authenticator

Setting up your Authenticator application

In order for the app to start generating tokens, it has to be linked to your MFA-enabled account. Typically, you need to do this only once (except when your token is reset or you have a new device).

Use the following steps to set up our Authenticator application:

1. Go to your MFA-enabled account and log in with the correct username and password.
   The Setup screen appears.

2. Select your smartphone platform and then click Next. A barcode appears.

   MFA does not support Blackberry devices. Contact your primary account holder or a Tealium account manager for assistance.

3. Scan the barcode using a generic barcode reader app on your smartphone.
   This step will vary depending on your smartphone platform.

   • Android: Tap Set an Account > Scan account barcode.
   • iPhone: Tap the plus icon (+) and scan the barcode.

4. Your app will generate the first token.

5. Enter the token in the text box next to Code and then click Verify and Save.

A success message appears when complete.

Signing into an MFA-enabled account

Prior to signing in, the authenticator app should already be installed and synced with your account. Use the following steps to sign in to your MFA-enabled account:

1. Navigate to Tealium iQ Tag Management.
2. Enter your username and password.
3. Open your authenticator app to receive the token.
4. Cut and paste or enter your token in the MFA TOKEN field.
   If the token is incorrect or expired, the authentication will fail and you will be denied access.
   • (Optional). If you want Tealium to remember your token for 8 hours, check the This is not a public computer checkbox. As long as you do not clear your browser history, the token is preserved for 8 hours. After the 8-hour period, you will need to reenter the token.
5. If your token is correct and you are still unable to sign in, read the Troubleshooting tips or contact your account administrator.

Resetting MFA tokens

If you recently switched to a new device or a new authenticator app, your existing token must be reset. This will allow the authenticator app on your new device to generate fresh tokens. Resetting tokens will not disable the MFA setting itself.

(Admins) Reset a user’s MFA

1. In the admin menu, click Manage Users.
2. In the User Manager window, click the checkbox to select the user for whom the token is being reset.
3. Click Edit/View User Settings.
4. In left panel, click MFA Settings and then click Reset MFA Code.
   

   

5. Close the window.

Next, notify the user to log in to their account to re-sync the app.

Reset your own MFA

1. In the admin menu, click Edit/View User Settings.
2. In left panel, click MFA Settings and then click Reset MFA Code.
3. Close the window.
4. In the admin menu, click Logout.

Next, log back in and set up the new MFA token.

Get an MFA without a smartphone

This section describes how to use Multi-Factor Authentication (MFA) without a smartphone when logging into Tealium.

Install the Authenticator Chrome Extension

Use the following steps to install and configure the Authenticator Chrome extension:

1. Navigate to the Chrome Web Store and add the Authenticator Chrome Extension.
   

   

2. When complete, move to the next section.

Log in to Tealium and configure the Authenticator

Use the following steps to log in to Tealium iQ and configure your Authenticator:

1. Log into Tealium iQ Tag Management.
   The MFA setup screen appears.
   

   

2. Select Android and then click Next.

   Android is the option that is compatible with the Authenticator Chrome extension.

3. The QR Code screen appears.
   

   

4. Click the Authenticator icon to launch the Authenticator extension and click the pencil to add a new QR code.
   

   

5. Click the + button to scan a new code.
   

   

6. Click Scan QR Code.

7. Go back to the login screen and click and drag using your mouse to draw a square over the QR Code in the page.

8. Once completed, go back to Authenticator.
   A new entry for Tealium appears.

9. From the login screen, enter your email and password and click Continue.
   The MFA code screen appears.

10. Enter the 6-digit code from Authenticator in the MFA code field and click Login.
    

    

    That’s it! You are now ready to log into Tealium using MFA without a smartphone.

11. The next time the Tealium login screen prompts you for your MFA code, return to Authenticator to retrieve a newly generated code.

Get an MFA code without accessing the Authenticator

If you cannot access your authenticator, use the following steps to receive a temporary MFA code by email:

1. Log into Tealium iQ Tag Management.
2. From the login screen, enter your email and password and click Continue.
   The MFA code screen appears.
3. Click Click Here to receive a temporary one.
   A message displays that a temporary MFA has been sent to your email.
   

   

4. Go to your email and open the new email from support titled Tealium Temporary MFA Code.
   

   

5. Get the recovery code and return to the login page.
6. Enter the code and click Login.
   Once you are logged in, we recommend that you go to your account and click Edit/View User Settings > MFA Settings and reset your MFA password.