Keeping your data safe, and that of your customers, is of paramount importance to us. Below you can find an overview of the security precautions in place for user access to the Emarsys application.

Password requirements

All Emarsys users are required to use a suitably strong password. When entering a new password for the first time, the application will check its complexity and inform you if it is not complex enough. In addition to this:

  • Passwords are valid for a maximum of 180 days, after which the application will require you to change it.
  • You may be requested to change your passwords earlier than that, for example if a new security feature has been enabled for you, or if suspicious activity related to your account is detected.
  • You cannot reuse any of your last three passwords.

We encourage you to use an established password management tool to take care of your passwords. Emarsys does not endorse any tool in particular, but advises you to choose the one that best suits your requirements. Examples of such tools are:

If a password is compromised (lost or stolen), you should immediately request a password reset on the Emarsys login page, or inform your Account Owner and ask them to verify your user profile. They can trigger an automated email to you and your user profile will be deactivated until you click the link in the email and change your password.

Important note: Emarsys does everything it can to protect your login credentials, such as preventing browsers from saving passwords. However, some browser versions override this and will store credentials unless the user explicitly switches off this setting. Please bear this in mind when considering login security for users of your account.


To prevent brute-force attacks from being successful, users are temporarily locked out if a wrong password is entered multiple times. The default lockout period is 10 minutes, but this can vary from account to account. After the lockout period expires, the account is automatically unlocked, although Emarsys Support can bypass the expiration period and unlock the account for you if required.

Two-step login authentication

We offer the possibility to further enhance the security of user login by providing two-step authentication (also known as Two-factor Authentication or TFA).

Two-step authentication is enabled when the Account Owner activates IP access control on the Security Settings page. Once enabled, users can log in with their user name and password only from devices using recognized IP addresses (see IP Whitelisting below). Otherwise they will also have to confirm their identity using one of the two following methods:

  • Time-based authentication using a smartphone authenticator app
    This requires a one-off synchronization between your smartphone authenticator app and our server, which creates an encrypted secret string. One-time passwords are then generated using this secret, which allow you to log in securely. This method does not require any kind of mobile connectivity, which means deliverability issues are bypassed, and the login codes are generated every minute to avoid the possibility of them being reused. Applications will be available for all major smartphone platforms.

  • SMS or callback-based two-step authentication
    This requires a dedicated and verified mobile phone number for the authentication to be sent to. When logging in to the Emarsys application, a one-time password (typically a numeric code) is sent via the preferred channel, and you then use this code on along with your usual credentials to log in. It is valid for five minutes only, and lasts for the duration of your session. This means that you need to use a new code every time you log in.
Trusted devices

If you are using the smartphone app authentication method, your device(s) can also be defined as trusted by using the Remember this device checkbox on the login page.


If a trusted device authenticates successfully, then you can log in using your user name and password from any IP address, regardless of whether it is recognized or not. This is helpful when travelling on business, for example. As an extra layer of protection a device can only be remembered for 14 days; after this time, or if the admin password is changed in the Emarsys application, you will be prompted to log in again.

If a trusted device is lost or stolen, then you should change your password immediately to prevent the device from being used to log in. A password reset automatically revokes all trust relationships from previously configured devices, and you may re-enable two-step authentication at any time.

Note: It is highly risky to enable this feature on public or shared computers, and we do not recommend it.

IP Whitelisting

Account Owners can also request that access to your account is restricted to specific IP addresses, or ranges of addresses. When logging in from these whitelisted addresses, your user credentials (account name, user name, password) are sufficient to log in, and two-step authentication is not needed. When logging in from an unknown IP address (i.e. non-whitelisted address), then two-step authentication will be required to proceed.

Automatic deactivation

Emarsys automatically deactivates user profiles where no login has occurred for 180 days. All data related to these users is retained indefinitely, and the account can be re-activated by Emarsys Support at any time. A password change will be necessary upon the next login for a reactivated account, and the Dashboard will automatically redirect to the password change screen.

Error messages

For a full list of error messages that you might see after a failed login attempt, and their explanation, click here.