Each Emarsys user can edit their own profile on their My Profile page. This is accessible via the drop-down menu in the upper right corner.
- Verifying your profile
- Login details
- Changing your password
- Password security requirements
- Regional details
- Personal details
- User security
- Share account
Verifying your profile
Your first step as an Emarsys user will be to verify that the email address associated with your user profile is correct. You do this by clicking the link on the invitation email that is sent to you when your profile is created. You will then need to set your password and complete the rest of the settings described below.
You will not be able to log in to the Platform before you verify your email address.
The verification process can also be triggered in other ways:
- If you do not log in to your account for 180 days your profile will be deactivated. Your Account Owner will then need to trigger the verification process before you can log in to the account again.
- Account Owners can also manually deactivate a user profile, for example to restrict access to the Platform for a period of time.
- The only way that you can change the email address associated with your profile is for the Account Owner to deactivate your profile and trigger a verification email to the new address.
- The verification link in the email is only valid for a certain time. If the link is no longer valid, or you no longer have the email, your Account Owner must trigger the process again.
Here you can change your login user name, change your password, and enable two-step login authentication via smartphone app.
Changing your password
To maintain the security of your user profile, Emarsys will ask you to change your password every 180 days.
You can also do this at any time by clicking Change Password. This will send an email to the email address associated with your user, containing a link that will direct you to the reset password page.
Emarsys will evaluate your password and, if it passes the security criteria, will reset it for you.
Password security requirements
All Emarsys users are required to use a suitably strong password. When entering a new password for the first time, the application will check its complexity and inform you if it is not complex enough. In addition to this:
- Passwords are valid for a maximum of 180 days, after which the application will require you to change it.
- You may be requested to change your passwords earlier than that, for example if a new security feature has been enabled for you, or if suspicious activity related to your account is detected.
- You cannot reuse any of your recent passwords.
We encourage you to use an established password management tool to take care of your passwords. Emarsys does not endorse any tool in particular, but advises you to choose the one that best suits your requirements. Examples of such tools are:
If a password is compromised (lost or stolen), you should immediately reset it on the Emarsys login page, or inform your Account Owner and ask them to verify your user profile. They can trigger an automated email to you and your user profile will be deactivated until you click the link in the email and change your password.
Important note: Emarsys does everything it can to protect your login credentials, such as preventing browsers from saving passwords. However, some browser versions override this and will store credentials unless the user explicitly switches off this setting. Please bear this in mind when considering login security for users of your account.
Here you can change your interface language, the default language of the fields used in forms and emails, your timezone, preferred date and time format, and the unit of distance (for use in Geolocation segments, for example).
- The date/time format is purely a display issue - it will not affect the way date fields are handled, either on import or on export.
- There may still be some screens in Emarsys which do not recognize the format you choose here. Our development team is busy identifying and fixing these issues.
Here you can change your first name and last name (if your Account Owner did not enter them for you).
For security reasons, your access role and email address can only be changed by your Account Owner.
You should also verify your mobile phone number. This requires nothing more than entering the number and clicking Verify mobile number. You will then be asked to enter the code that Emarsys sends you via SMS.
Your mobile phone number will only be used for two-step authentication, if this is enabled by your Account Owner.
Finally, you can also define which web page in the Platform opens after you log in, by selecting from the Start page drop-down. The pages available here will depend on your Access role.
Your Access role determines which pages you can see in the Platform. If you are denied access to a page, or have previously bookmarked one which is no longer available, speak to your Account Owner and check that your permissions are correctly configured to meet your needs.
To prevent brute-force attacks from being successful, users are temporarily locked out if a wrong password is entered multiple times. The default lockout period is 10 minutes, but this can be changed on demand.
After the lockout period expires, the account is automatically unlocked, although Emarsys Support can bypass the expiration period and unlock the account for you if required.
Two-step login authentication
We offer the possibility to further enhance the security of user login by providing two-step authentication (also known as Two-factor Authentication or TFA).
Two-step authentication is enabled when the Account Owner activates IP access control on the Security Settings page. Once enabled, users can log in with their user name and password only from devices using recognized IP addresses (see IP Whitelisting below). Otherwise they will also have to confirm their identity using one of the two following methods:
Time-based authentication using a smartphone authenticator app (recommended)
This requires a one-off synchronization between your smartphone authenticator app and our server. This process generates a shared secret between your phone and our application. One-time passwords are then generated using this secret, which allow you to log in securely.
This method does not require any kind of mobile connectivity, which means deliverability issues are bypassed, and the login codes are generated every 30 seconds to avoid the possibility of them being reused. Authenticator applications are available for all major smartphone platforms.
SMS or callback-based two-step authentication
This requires a dedicated and verified mobile phone number for the authentication to be sent to. When logging in to the Emarsys application, a one-time password (typically a numeric code) is sent via the preferred channel, and you then use this code on along with your usual credentials to log in. It is valid for five minutes only, and lasts for the duration of your session. This means that you need to use a new code every time you log in.
This method depends on third-party services and is therefore not as reliable as time-based authentication.
Configuring an Authenticator App
Two-step authentication (IP access control) is enabled by the Account Owner and is automatically active for all users who have a verified mobile phone number (see below). However, most smartphones also have authenticator apps which will provide time-based authentication codes.
An authenticator app is the preferred method as it is offline (no Internet connection required) and works without delay or delivery issues.
Click Configure Authenticator App to open a wizard which will lead you through the instructions for all major operating systems.
Once installed on your phone, just scan the QR code and enter the code it generates.
Once enabled, Emarsys will accept the codes generated by your authenticator app when you log in. Please be aware that codes are highly time-sensitive (valid for ~1 minute). If you enter a code but submit it late, it may be rejected. In this case, enter a fresh code and submit again.
This authentication method also gives you the chance ask Emarsys to Remember your device. This will allow you to log in for 14 days from that device using only your user name and password, regardless of the IP address.
Changing your password will invalidate all your trusted devices.
If you are using the smartphone app authentication method, your device(s) can also be defined as trusted by using the Remember this device checkbox on the login page.
If a trusted device authenticates successfully, then you can log in from it using your user name and password from any IP address, regardless of whether it is recognized or not. This is helpful when travelling on business, for example.
As an extra layer of protection a device can only be remembered for 14 days; after this time, or if your user password is changed in the Emarsys application, you will be prompted to log in again.
If a trusted device is lost or stolen, then you should change your password immediately to prevent the device from being used to log in. A password reset automatically revokes all trust relationships from previously configured devices.
Note: It is highly risky to enable this feature on public or shared computers, and we do not recommend it.
Account Owners can also request that access to your account is restricted to specific IP addresses, or ranges of addresses.
- When logging in from these whitelisted addresses, your user credentials (account name, user name, password) are sufficient to log in, and two-step authentication is not needed.
- When logging in from an unknown IP address (i.e. non-whitelisted address), then two-step authentication will be required to proceed.
Emarsys automatically deactivates user profiles where no login has occurred for 180 days. All data related to these users is retained indefinitely, and the account can be re-activated by an Account Owner at any time.
A password change will be necessary upon the next login for a reactivated account, and the Dashboard will automatically redirect to the password change screen.
Login error messages
For a full list of error messages that you might see after a failed login attempt, and their explanation, click here.