How Nectar handles MFA
When you connect a utility that requires MFA, the connection wizard includes an MFA configuration step. Depending on the utility, Nectar may:- Use security questions — You provide answers once and Nectar uses them on each login (e.g., Con Edison, Orange & Rockland).
- Use managed forwarding — Nectar provides a dedicated email address. You set it as the MFA destination in your utility portal.
- Use customer-inbox forwarding — You keep your existing MFA email and add a forwarding rule that sends codes to Nectar.
- Handle MFA automatically — Some utilities use OAuth or other flows that don’t require user-side MFA configuration (e.g., PECO, BGE, Pepco, Delmarva Power, Atlantic City Electric).
What “MFA Token Expired” means
When a connection shows MFA Token Expired, it means Nectar attempted to log in but could not complete the MFA step. Common causes:- The forwarding rule was disabled or blocked by your email provider.
- The utility portal changed its MFA sender address or code format.
- The MFA destination was changed on the utility portal.
- A security question answer changed on the portal.
- Corporate email policies silently blocked external forwarding.
Triage flow: fixing an MFA connection
When you see MFA Token Expired, work through these options in order. Pick the first one that works for your situation.Can you upload bills instead?
If the MFA issue is difficult to resolve, you can always upload PDF bills directly. The parsed output — meters, accounts, usage data — is identical to what automated collection produces, and no portal or email configuration is required.Best for: Facility managers who already receive bills by email, or when IT won’t approve portal/email changes.
Can you disable MFA on the utility portal?
Many utility portals make MFA optional. If you can turn it off in the portal’s security settings, do that — then reconnect to refresh the stored credentials.Best for: Portals where MFA is optional and your organization doesn’t mandate it on utility accounts.
Can you use security questions?
Some utilities (like Con Edison and Orange & Rockland) support security questions as the MFA method. If your portal offers this option, set up security questions and provide the answers during the connection wizard. Security question answers can be shared across your organization — anyone on your team can reconnect using the same answers.Best for: Utilities in the Con Edison family. See Con Edison guide.
Can you set a Nectar email as the MFA destination? (Managed forwarding)
Nectar provides a unique email address for your connection. Set that address as the MFA code destination in the utility portal’s account settings. When a code is sent, Nectar receives it directly and completes the login.Best for: Most MFA connections where security questions aren’t available. This is the most reliable forwarding method.
Can you forward codes from your own inbox? (Customer-inbox forwarding)
Keep your existing MFA email on the utility portal and add an auto-forwarding rule in your inbox that sends MFA emails to Nectar’s address.Best for: Personal email accounts where you can’t change the portal’s MFA destination.
Is the portal SMS-only? (Beta)
For utility portals that only support phone-based MFA, Nectar can provision a phone number that receives SMS codes. Contact [email protected] to request access to this beta feature.
Options summary
| # | Option | What you do | Best for |
|---|---|---|---|
| 1 | Upload documents | Email or upload PDF bills directly | Everyone — no portal changes needed |
| 2 | Disable MFA | Turn off MFA in the utility portal’s security settings | Portals where MFA is optional |
| 3 | Security questions | Set up and share security question answers | Con Edison, Orange & Rockland, and similar portals |
| 4 | Managed forwarding | Set a Nectar-provided email as your MFA destination | Most MFA connections — recommended forwarding method |
| 5 | Customer-inbox forwarding | Auto-forward MFA emails from your inbox to Nectar | Personal email accounts only |
| 6 | SMS relay (beta) | Set a Nectar-provided phone number as MFA destination | Portals that only support SMS codes |
Utility-specific guides
Some utilities have unique MFA or security workflows. Use these guides for step-by-step instructions tailored to each provider:Utilities with special MFA handling
PG&E
Add Nectar as authorized user — email forwarding not supported.
Con Edison
Security questions — shareable across your organization.
Orange and Rockland
Security questions (same platform as Con Edison).
Duke Energy
Disable MFA or set up email OTP forwarding.
Potomac Edison
Disable two-step verification (optional on FirstEnergy).
Enbridge Gas
Email forwarding or upload bills (authenticator mandatory since Dec 2022).
Utilities with email MFA forwarding
Washington Gas
MFA triggered on login from new locations.
Southwest Gas
Standard email MFA forwarding.
San Diego Gas & Electric
Email forwarding via My Energy Center portal.
EWEB
Disable MFA or email forwarding.
HRSD
Disable MFA or email forwarding.
Elizabethtown Gas
Disable MFA or email forwarding.
City of Kitchener
Disable MFA or email forwarding.
Utilities with no MFA configuration needed
These utilities use login flows that don’t require user-side MFA setup:PECO
Standard credentials only (Exelon OAuth).
Pepco
Standard credentials only (Exelon OAuth).
Baltimore Gas and Electric
Standard credentials only (Exelon OAuth).
Delmarva Power
Standard credentials only (Exelon OAuth).
Atlantic City Electric
Standard credentials only (Exelon OAuth).
PSEG New Jersey
CAPTCHA handled automatically — no MFA needed.
Setting up MFA forwarding
Start the connection or reconnect flow
The wizard detects that MFA is required and shows the MFA configuration step. If your utility has a specific recommended action, it will be displayed at the top of the step.
Choose your forwarding type
Managed forwarding (recommended): Nectar provides a dedicated email. You update the utility portal to send codes there. Nectar can also auto-forward the raw code to additional email addresses you specify, so you continue to see your codes.Customer-inbox forwarding: You keep your current MFA email and add a forwarding rule in your inbox that sends utility MFA emails to Nectar’s address.
Configure on the utility portal
Follow the utility-specific guide (linked above) or the general instructions shown in the wizard to update your MFA settings.
Delegating MFA setup
If someone else owns the utility credentials — a client, building manager, or account owner — send them a reconnect invitation instead of running the flow yourself. The recipient gets a link to a hosted reconnect page where they can update the password or refresh MFA forwarding on their own. See Invitations for details on creating and managing reconnect invitations.Preventing MFA disconnections
To reduce the chance of a connection breaking due to MFA:- Keep MFA forwarding current — when codes stop reaching Nectar, the connection shows MFA Token Expired until you reconnect and refresh forwarding.
- Check the Needs Attention tab on the Connections page regularly to catch MFA issues early.
- Prefer managed forwarding over inbox forwarding — inbox forwarding rules can be silently disabled by corporate email policies.
- Share security question answers across your team — if one person leaves, others can still reconnect using the same answers.
- Consider uploading bills for utilities where MFA is consistently problematic.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| MFA Token Expired after working for weeks | Email forwarding rule disabled by IT policy | Switch to managed forwarding (option 4) or upload bills |
| ”MFA Required” shown but utility doesn’t prompt you for MFA | MFA is triggered by new/unknown devices — Nectar logs in from a different IP | Set up forwarding so Nectar can receive the code when it’s triggered |
| Forwarding confirmed but still MFA Token Expired | Forwarding rule sends to wrong address, or code format not recognized | Verify the forwarding address matches exactly what Nectar provided |
| Security question mismatch | Answer stored in Nectar doesn’t match what the portal expects | Reconnect and re-enter your security question answers |
| Codes arrive but connection still fails | The utility rotated its MFA sender address; forwarding filter no longer matches | Update your email filter to match the new sender, or switch to managed forwarding |
| MFA works intermittently | Rate limiting or anti-bot detection on the utility portal | Contact [email protected] — this may require engineering investigation |
Related pages
Reconnecting
How to update credentials and refresh MFA forwarding.
Connection wizard
Full walkthrough of the connection setup flow.
Troubleshooting
All connection statuses, upload issues, and when to contact support.
Invitations
Delegate reconnect and MFA setup to account owners.
Uploads
Upload bills directly — the simplest alternative to MFA.
MFA integration (developers)
API-level MFA handling, webhooks, and the recommendation ladder.