Skip to main content

You've probably heard that we're rolling out two-factor authentication (2FA) soon to better protect your accounts. We understand you might have questions about what it is and how it works. 


How to activate 2FA for your Mews account(s) 

 


Have more questions?
 

Our Senior Product Manager, @Rui Oliveira , and Engineering Manager,  @David Endersby are here to help. 

Drop your 2FA questions right here in the comments below. 👇 Rui and David will be keeping an eye on this post and will respond to your questions. Feel free to leave your questions anytime, and they'll get back to you.

➡️ Before you do, don’t forget to check our FAQs; your question might already be answered there.
 

Click ‘show content’ below to view our 2FA Frequently Asked Questions 👇

 

What is two-factor authentication (2FA)? 

  • 2FA is an extra layer of security protecting your account, beyond your password. It requires a code from your phone (or another device) to log in, in addition to your password. This means even if your password is compromised, your account is still protected. 

Why is Mews making 2FA mandatory? 

  • To better protect your account and data from unauthorized access, phishing attacks, and data breaches. 
  • To meet industry compliance standards for handling sensitive data. 

When will 2FA be activated for my account? 

  • You'll receive an email with the specific date. We encourage you to set it up as soon as possible. 

How do I set up 2FA? 

  • We have a step-by-step guide and videos to help you. You can use email verification, popular authenticator apps like Google Authenticator, Microsoft Authenticator, or 1Password to store your 2FA codes. 

Will 2FA be enforced also for the mobile app?

  • Yes, log in will be enforced on an account level, independently from device. So to log in, anywhere, 2FA will be mandatory

What if I have trouble setting up 2FA? 

  • Contact our support team for assistance. 

What happens after I set up 2FA? 

  • The next time you login, you’ll be asked for your 2FA code.

What are the benefits of 2FA for me? 

  • Increase security for your account and data. 
  • Protect your business and meet industry standards. 
  • Have greater peace of mind knowing your information is better protected. 

What happens if I don’t have a phone? 

  • You can generate one-time codes in an internet browser window using plugins like 1Password. By August 12th we will also have email verification ready. 

How can I reset 2FA for my employees?  

Accounts without 2FA verification can access MEWS but cannot see any personal information on guest profiles and reservation details. Would this mean we would not need to have 2FA verification for accounts that do not need to see personal information such as housekeeping staff?

  • As off end of September, all accounts will be enforced to have 2FA enabled. Even the ones that have less data access

Is it possible to exempt certain users from using 2FA?  

  • Yes, it is possible to exempt users from needing to use 2FA. For more information on how to do this, please refer to this guide

 Is it possible for my employees to use email as their second factor? 

  • Currently, it is not possible to use email. However, we’re working on this it will be ready by August 12th. 

 What can I do to make 2FA easier to use? 

  • To make 2FA easier to use, consider using browser plugins like 1Password. These plugins can generate the authentication code directly in your browser, so you don't have to use your personal mobile phone.  Some hotels also have “hotel devices”, e.g. mobile phone or tablet, at reception for this purpose. 

When verifying through email, some of the authenticator codes are incorrect, preventing authentication.

  • Email codes have 5 minutes lifetime, but we're extending it to 10 mins to make it easier to users.
  • The authenticator app codes have a 1min lifetime, being replaced by another code, so any user needs to use the one that is active (check countdown spinner in the app)

My hotel uses SSO, do I still need 2FA? 

  • Two-factor authentication (2FA) is required for any email address that isn't part of your hotel's SSO domain. For example, if your hotel's SSO domain is "bluehotel.com" and your work email is "[email protected]," you wouldn't need 2FA for that email.  However, if you also use a personal email like "[email protected]" to access Mews, you would need to set up 2FA for that personal email address. 


Not a Mews Community member yet? Sign up now so you can be a part of the conversation. 

Hi all, I received a suggestion regarding employee privileges today. Would it be possible to have ‘exporting reports’ as an option to enable for users? 

And do you think this would have an affect in avoiding sensitive information to be downloaded from the system. 

@Jaron Shaya FYI :)

 

Thanks!


Hi all, I received a suggestion regarding employee privileges today. Would it be possible to have ‘exporting reports’ as an option to enable for users? 

And do you think this would have an affect in avoiding sensitive information to be downloaded from the system. 

@Jaron Shaya FYI :)

 

Thanks!

Hey Merel,

Thanks for the suggestion, but this isn’t really 2fa-related. We are looking into rebuilding the permissions framework soon. Keep an eye out next year for news.

 

Thanks

David



Adding this post to this thread for visibility.


Send authentication code by text/sms. This is the primary way all other apps have 2FA.

 

Emailing the authentication code takes too long.


Send authentication code by text/sms. This is the primary way all other apps have 2FA.

 

Emailing the authentication code takes too long.

Hey Marion,

Is there a specific use case you’re thinking of?

We currently offer 2FA via an authentication app as an alternative, which would be far superior to SMS and email. This app offers an instant 2FA code that is more secure than other methods (as long as you don’t give it to phishing websites) because you need the device to authenticate. 

There are some fairly significant downsides of sms 2FA:

  1. It’s vulnerable to sim swapping attacks - where an attacker duplicates/swaps your sim and can receive all messages
  2. SMSs can be intercepted in transit
  3. Cost - SMS costs money (variable by locale) and aren’t available in all jurisdictions
  4. Some people don’t have SMS plans any more (data-only plans).
  5. Is another opportunity for phishing scams

You need your phone for both the authenticator app and SMS, which has caused some issues for a few of our customers (we built email to resolve this)

 

I hope this helps

 

David


Email is the easiest method to hack. Staff and my self do not want to use an authenticator app.

 

SIM swapping is rare and would be difficult to achieve. Most banks use SMS as authentication in the US.

 

We’re disappointed in Mews implentation of 2FA. Mews development always appears to be focused on EU/GDPR/privacy compliance instead of improved functionality to hoteliers.


In the HELP article, you mention that email addresses can be excluded from 2FA. This is very important for us, as we work with a monitoring center during the night hours, and they cannot activate it because of the fact that they work on 1 account in routating shifts. Housekeeping team logs in on 1 and the same account to clean rooms. They are also not able to make use of this function. 

In short, these accounts have very limited permissions and must be excluded from 2FA.

Why is this feature not working yet, and when will it be, given your strict deadline to make 2FA mandatory?

Looking forward to your quick response.


In the HELP article, you mention that email addresses can be excluded from 2FA. This is very important for us, as we work with a monitoring center during the night hours, and they cannot activate it because of the fact that they work on 1 account in routating shifts. Housekeeping team logs in on 1 and the same account to clean rooms. They are also not able to make use of this function. 

In short, these accounts have very limited permissions and must be excluded from 2FA.

Why is this feature not working yet, and when will it be, given your strict deadline to make 2FA mandatory?

Looking forward to your quick response.

Hey @evavandeparel89,

Out of curiosity, what is the reasoning behind only having one account?

Regarding 2fa exclusion functionality, you can find it on the property settings page, under security  - https://help.mews.com/s/article/Enabling-and-disabling-mandatory-two-factor-authentication-for-employees?language=en_US#How-to-create-a-2FA-exemption-list

 

Thanks

 

David


Hi David, they work on 1 account because of the fact we work with an external housekeeping company with daily changing team. I know the help article, but the function is not working in Mews, that is the reason of my post (!). It is not possible to select e-mailaddresses.


Email is the easiest method to hack. Staff and my self do not want to use an authenticator app.

 

SIM swapping is rare and would be difficult to achieve. Most banks use SMS as authentication in the US.

 

We’re disappointed in Mews implentation of 2FA. Mews development always appears to be focused on EU/GDPR/privacy compliance instead of improved functionality to hoteliers.

I agree, Email is easy to hack if you don’t follow standard security practices, such as using strong, unique passwords (ideally from a password manager), implementing some kind of 2FA (ideally hardware key or secondary device), not sharing credentials and continually being weary of a changing threat landscape.

 

The hospitality sector continues to be an easy target for bad actors because it has yet to adopt such functionality. We refuse to stand by, instead choosing to take action to protect our customers and their guests.

 

I’m sorry that you’re disappointed with the current 2fa implementation. We will continue to refine functionality and add new features inline with worldwide security best practices.

 

David


Hi David, they work on 1 account because of the fact we work with an external housekeeping company with daily changing team. I know the help article, but the function is not working in Mews, that is the reason of my post (!). It is not possible to select e-mailaddresses.

 

It might be that Enforce 2fa is not enabled (you need to enable it before you can exclude people from it)

 

 

If its still not working, I can work with your CSM to get you more assistance


In the HELP article, you mention that email addresses can be excluded from 2FA. This is very important for us, as we work with a monitoring center during the night hours, and they cannot activate it because of the fact that they work on 1 account in routating shifts. Housekeeping team logs in on 1 and the same account to clean rooms. They are also not able to make use of this function. 

In short, these accounts have very limited permissions and must be excluded from 2FA.

Why is this feature not working yet, and when will it be, given your strict deadline to make 2FA mandatory?

Looking forward to your quick response.

Hello!

In your case, I would suggest that your external HK should not work with a Mews Account at all. Rather use some some integrated third party tool like Sweeply (for simple situations)or Hotelkit (for more complex requirements).

Best regards;

JP.

 

 

 


Dear JP,

Sorry, but you're avoiding the question. I want to know how to exclude email addresses from 2FA, not how you think our business operations should be structured.

Other employees (such as an external control room for the night shifts) also work in our Mews account with limited access, but they still need to be able to create key cards remotely (for example). I don't believe I should have to explain step by step why I'm asking a question; just provide an answer as to why the features described in your HELP article aren't active. Will this be activated before September 2, or is there another way we can exclude these users from 2FA?

Best regards,

Eva


About this: I have enabled this, but still I am NOT able to select email addresses. Can we continue this conversation by e-mail maybe?

/////


It might be that Enforce 2fa is not enabled (you need to enable it before you can exclude people from it)

 

 

If its still not working, I can work with your CSM to get you more assistance
 


Dear JP,

Sorry, but you're avoiding the question. I want to know how to exclude email addresses from 2FA, not how you think our business operations should be structured.

Other employees (such as an external control room for the night shifts) also work in our Mews account with limited access, but they still need to be able to create key cards remotely (for example). I don't believe I should have to explain step by step why I'm asking a question; just provide an answer as to why the features described in your HELP article aren't active. Will this be activated before September 2, or is there another way we can exclude these users from 2FA?

Best regards,

Eva

Hello!

I think you misunderstood my role and this forum here. I am just another user… 🙂 You are free to make of users’ comments what ever you like, or not…

This user community, I believe, is here to discover how other people are structuring their operations, share ideas, find out how others are dealing with current challenges, … and provide feedback to Mews. If you think that Mews is defective, has a bug, or does not fit you use case at all, I would think your primary contact should be your customer success manager, mews support, or the mews sales agent. Any MEWS employee here to back this up or jump right in?

Personally, I think 2FA is very important. Especially, when you share access with external users. How can you make sure they are not freely sharing the credentials, and store them safely. And we all need to structure our operations around it. I have repeatedly made suggestions here on how 2FA could be made less annoying (for example exempt certain IP ranges or require 2FA less often, use passkeys instead) - See

Kind regards,

Jean-Philipp.


Apologies, I assumed a Mews employee was responding to my question.

I completely agree that 2FA is very important, and we've been using it for all our reception and manager accounts since it became available. However, it seems a bit excessive for Mews users with very limited permissions. We would like to disable it for this group, as it significantly hinders our daily operations.

If these messages aren't addressed by Mews directly, we'll certainly reach out to our Success Manager to discuss this further.


However, it seems a bit excessive for Mews users with very limited permissions. We would like to disable it for this group, as it significantly hinders our daily operations.

 

I completely agree to your point! I think the access to personal data is the main issue. If there was a restricted account type without any access to personal information (like for housekeeping only access to room status is required), I think that could be exempted from 2FA and frequent reauthentication, as access to this account would be useless for anyone else anyway.

@Mews: maybe when restructuring the user access rights system, a totaly restricted account type without access to personal data could be implemented without 2FA?

I can imagine this to be usefull for housekeeping staff, maintenance staff, etc… a key point in data protection is to only provide the data that must be accessed to perform a given role/job - for the above roles the names, contact details, payment and financial details are irrelevant, and access should not be granted anyways. Back when we had paper only HK lists, there were no guest names on the lists…

However, for an external night shift with unknown/changing staff members (call center), this might be insufficient, as personal data needs to be access to e.g. issue new keys and verify guest ids… so for that use case, I don’t know… 2FA with TOTP might be a problem to organize (they could use a dedicated hardware device to generate the codes, maybe ...) - but for data protection it would be wise to require it, especially in that environment that is not directly under your control. Email 2FA could work I guess … so if your call center / night shift has a common email address, they could use a generic account with that email address and 2FA via email. Not perfect, but doable ?

JP.


This group (night shift) automatically receives an in-house list from Mews with only room numbers and names. They only need access to the timeline and to create a room key. In my opinion, this can be done perfectly fine without 2FA, as they don't have access to guest details. Anyway, it would be great to have a solution for this before September 2nd, so @Mews, I look forward to hearing from you soon, either here or via email.


In case people are watching this thread, I reached out to @evavandeparel89 via email and we resolved her issue.


We have been locked out of our account, and whilst I have tried to chat to support, it always takes me to the login page. Would love for you guys to help out with opening our account again (visitlaagen). Thanks!


Reply