> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nectarclimate.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Multi-factor authentication (MFA)

> How Nectar handles utility portals that require multi-factor authentication — options, triage flow, and utility-specific guides.

<Tip>
  **For developers:** See [MFA integration](/developer-guide/mfa-integration) for API-level handling,
  webhooks, and the full recommendation ladder.
</Tip>

Some utility portals require a second verification step — a code sent by email or SMS, a security question, or an authenticator prompt — every time someone logs in. Because Nectar accesses portals on a schedule (not from your device), it needs a way to receive those codes too.

This page explains how MFA works with Nectar, walks through the decision tree for fixing MFA-related connection issues, and links to utility-specific guides where the setup process varies.

## How Nectar handles MFA

When you connect a utility that requires MFA, the [connection wizard](/platform/data-input/connection-wizard) includes an MFA configuration step. Depending on the utility, Nectar may:

* **Use security questions** — You provide answers once and Nectar uses them on each login (e.g., Con Edison, Orange & Rockland).
* **Use managed forwarding** — Nectar provides a dedicated email address. You set it as the MFA destination in your utility portal.
* **Use customer-inbox forwarding** — You keep your existing MFA email and add a forwarding rule that sends codes to Nectar.
* **Handle MFA automatically** — Some utilities use OAuth or other flows that don't require user-side MFA configuration (e.g., PECO, BGE, Pepco, Delmarva Power, Atlantic City Electric).

Once configured, Nectar completes logins without manual intervention.

## What "MFA Token Expired" means

When a connection shows **MFA Token Expired**, it means Nectar attempted to log in but could not complete the MFA step. Common causes:

* The forwarding rule was disabled or blocked by your email provider.
* The utility portal changed its MFA sender address or code format.
* The MFA destination was changed on the utility portal.
* A security question answer changed on the portal.
* Corporate email policies silently blocked external forwarding.

To fix this, click **Reconnect** on the connection and follow the [reconnect flow](/platform/data-input/reconnecting#mfa-token-expired).

## Triage flow: fixing an MFA connection

When you see **MFA Token Expired**, work through these options **in order**. Pick the first one that works for your situation.

<Steps>
  <Step title="Can you upload bills instead?">
    If the MFA issue is difficult to resolve, you can always [upload PDF bills](/platform/data-input/uploads) directly. The parsed output — meters, accounts, usage data — is identical to what automated collection produces, and no portal or email configuration is required.

    **Best for:** Facility managers who already receive bills by email, or when IT won't approve portal/email changes.
  </Step>

  <Step title="Can you disable MFA on the utility portal?">
    Many utility portals make MFA optional. If you can turn it off in the portal's security settings, do that — then [reconnect](/platform/data-input/reconnecting) to refresh the stored credentials.

    **Best for:** Portals where MFA is optional and your organization doesn't mandate it on utility accounts.
  </Step>

  <Step title="Can you use security questions?">
    Some utilities (like Con Edison and Orange & Rockland) support security questions as the MFA method. If your portal offers this option, set up security questions and provide the answers during the connection wizard. Security question answers can be shared across your organization — anyone on your team can reconnect using the same answers.

    **Best for:** Utilities in the Con Edison family. See [Con Edison guide](/platform/data-input/utilities/con-edison).
  </Step>

  <Step title="Can you set a Nectar email as the MFA destination? (Managed forwarding)">
    Nectar provides a unique email address for your connection. Set that address as the MFA code destination in the utility portal's account settings. When a code is sent, Nectar receives it directly and completes the login.

    **Best for:** Most MFA connections where security questions aren't available. This is the most reliable forwarding method.
  </Step>

  <Step title="Can you forward codes from your own inbox? (Customer-inbox forwarding)">
    Keep your existing MFA email on the utility portal and add an auto-forwarding rule in your inbox that sends MFA emails to Nectar's address.

    <Warning>
      **This strategy fails frequently on corporate email.** Microsoft 365 and Google Workspace
      often block external auto-forwarding through tenant-wide policies. If forwarding is silently
      disabled, the connection returns to **MFA Token Expired** without warning. If you're on a
      managed work email, prefer managed forwarding or uploading bills.
    </Warning>

    **Best for:** Personal email accounts where you can't change the portal's MFA destination.
  </Step>

  <Step title="Is the portal SMS-only? (Beta)">
    For utility portals that only support phone-based MFA, Nectar can provision a phone number that receives SMS codes. Contact [support@nectarclimate.com](mailto:support@nectarclimate.com) to request access to this beta feature.
  </Step>
</Steps>

## Options summary

| # | Option                        | What you do                                            | Best for                                             |
| - | ----------------------------- | ------------------------------------------------------ | ---------------------------------------------------- |
| 1 | **Upload documents**          | Email or upload PDF bills directly                     | Everyone — no portal changes needed                  |
| 2 | **Disable MFA**               | Turn off MFA in the utility portal's security settings | Portals where MFA is optional                        |
| 3 | **Security questions**        | Set up and share security question answers             | Con Edison, Orange & Rockland, and similar portals   |
| 4 | **Managed forwarding**        | Set a Nectar-provided email as your MFA destination    | Most MFA connections — recommended forwarding method |
| 5 | **Customer-inbox forwarding** | Auto-forward MFA emails from your inbox to Nectar      | Personal email accounts only                         |
| 6 | **SMS relay** *(beta)*        | Set a Nectar-provided phone number as MFA destination  | Portals that only support SMS codes                  |

## Utility-specific guides

Some utilities have unique MFA or security workflows. Use these guides for step-by-step instructions tailored to each provider:

### Utilities with special MFA handling

<CardGroup cols={2}>
  <Card title="PG&E" icon="bolt" href="/platform/data-input/utilities/pge">
    Add Nectar as authorized user — email forwarding not supported.
  </Card>

  <Card title="Con Edison" icon="bolt" href="/platform/data-input/utilities/con-edison">
    Security questions — shareable across your organization.
  </Card>

  <Card title="Orange and Rockland" icon="bolt" href="/platform/data-input/utilities/orange-and-rockland">
    Security questions (same platform as Con Edison).
  </Card>

  <Card title="Duke Energy" icon="bolt" href="/platform/data-input/utilities/duke-energy">
    Disable MFA or set up email OTP forwarding.
  </Card>

  <Card title="Potomac Edison" icon="bolt" href="/platform/data-input/utilities/potomac-edison">
    Disable two-step verification (optional on FirstEnergy).
  </Card>

  <Card title="Enbridge Gas" icon="flame" href="/platform/data-input/utilities/enbridge">
    Email forwarding or upload bills (authenticator mandatory since Dec 2022).
  </Card>
</CardGroup>

### Utilities with email MFA forwarding

<CardGroup cols={2}>
  <Card title="Washington Gas" icon="flame" href="/platform/data-input/utilities/washington-gas">
    MFA triggered on login from new locations.
  </Card>

  <Card title="Southwest Gas" icon="flame" href="/platform/data-input/utilities/southwest-gas">
    Standard email MFA forwarding.
  </Card>

  <Card title="San Diego Gas & Electric" icon="bolt" href="/platform/data-input/utilities/sdge">
    Email forwarding via My Energy Center portal.
  </Card>

  <Card title="EWEB" icon="droplet" href="/platform/data-input/utilities/eweb">
    Disable MFA or email forwarding.
  </Card>

  <Card title="HRSD" icon="droplet" href="/platform/data-input/utilities/hrsd">
    Disable MFA or email forwarding.
  </Card>

  <Card title="Elizabethtown Gas" icon="flame" href="/platform/data-input/utilities/elizabethtown-gas">
    Disable MFA or email forwarding.
  </Card>

  <Card title="City of Kitchener" icon="droplet" href="/platform/data-input/utilities/city-of-kitchener">
    Disable MFA or email forwarding.
  </Card>
</CardGroup>

### Utilities with no MFA configuration needed

These utilities use login flows that don't require user-side MFA setup:

<CardGroup cols={2}>
  <Card title="PECO" icon="bolt" href="/platform/data-input/utilities/peco">
    Standard credentials only (Exelon OAuth).
  </Card>

  <Card title="Pepco" icon="bolt" href="/platform/data-input/utilities/pepco">
    Standard credentials only (Exelon OAuth).
  </Card>

  <Card title="Baltimore Gas and Electric" icon="bolt" href="/platform/data-input/utilities/bge">
    Standard credentials only (Exelon OAuth).
  </Card>

  <Card title="Delmarva Power" icon="bolt" href="/platform/data-input/utilities/delmarva-power">
    Standard credentials only (Exelon OAuth).
  </Card>

  <Card title="Atlantic City Electric" icon="bolt" href="/platform/data-input/utilities/atlantic-city-electric">
    Standard credentials only (Exelon OAuth).
  </Card>

  <Card title="PSEG New Jersey" icon="bolt" href="/platform/data-input/utilities/pseg-nj">
    CAPTCHA handled automatically — no MFA needed.
  </Card>
</CardGroup>

Don't see your utility listed? The standard MFA forwarding setup (managed forwarding) works for most providers. If you run into trouble, contact [support@nectarclimate.com](mailto:support@nectarclimate.com).

## Setting up MFA forwarding

<Steps>
  <Step title="Start the connection or reconnect flow">
    The wizard detects that MFA is required and shows the MFA configuration step. If your utility has a specific recommended action, it will be displayed at the top of the step.
  </Step>

  <Step title="Choose your forwarding type">
    **Managed forwarding** (recommended): Nectar provides a dedicated email. You update the utility portal to send codes there. Nectar can also auto-forward the raw code to additional email addresses you specify, so you continue to see your codes.

    **Customer-inbox forwarding**: You keep your current MFA email and add a forwarding rule in your inbox that sends utility MFA emails to Nectar's address.
  </Step>

  <Step title="Configure on the utility portal">
    Follow the utility-specific guide (linked above) or the general instructions shown in the wizard to update your MFA settings.
  </Step>

  <Step title="Confirm the setup">
    Nectar triggers a test login. Once it receives the code successfully, the connection moves to **Connected**.
  </Step>
</Steps>

## Delegating MFA setup

If someone else owns the utility credentials — a client, building manager, or account owner — send them a **reconnect invitation** instead of running the flow yourself. The recipient gets a link to a hosted reconnect page where they can update the password or refresh MFA forwarding on their own.

See [Invitations](/platform/data-input/invitations) for details on creating and managing reconnect invitations.

## Preventing MFA disconnections

To reduce the chance of a connection breaking due to MFA:

* **Keep MFA forwarding current** — when codes stop reaching Nectar, the connection shows **MFA Token Expired** until you reconnect and refresh forwarding.
* **Check the Needs Attention tab** on the Connections page regularly to catch MFA issues early.
* **Prefer managed forwarding over inbox forwarding** — inbox forwarding rules can be silently disabled by corporate email policies.
* **Share security question answers** across your team — if one person leaves, others can still reconnect using the same answers.
* **Consider uploading bills** for utilities where MFA is consistently problematic.

## Troubleshooting

| Symptom                                                     | Likely cause                                                                    | Fix                                                                                                                |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| MFA Token Expired after working for weeks                   | Email forwarding rule disabled by IT policy                                     | Switch to managed forwarding (option 4) or upload bills                                                            |
| "MFA Required" shown but utility doesn't prompt you for MFA | MFA is triggered by new/unknown devices — Nectar logs in from a different IP    | Set up forwarding so Nectar can receive the code when it's triggered                                               |
| Forwarding confirmed but still MFA Token Expired            | Forwarding rule sends to wrong address, or code format not recognized           | Verify the forwarding address matches exactly what Nectar provided                                                 |
| Security question mismatch                                  | Answer stored in Nectar doesn't match what the portal expects                   | Reconnect and re-enter your security question answers                                                              |
| Codes arrive but connection still fails                     | The utility rotated its MFA sender address; forwarding filter no longer matches | Update your email filter to match the new sender, or switch to managed forwarding                                  |
| MFA works intermittently                                    | Rate limiting or anti-bot detection on the utility portal                       | Contact [support@nectarclimate.com](mailto:support@nectarclimate.com) — this may require engineering investigation |

<Tip>
  **Still stuck?** See [Troubleshooting data input](/platform/data-input/troubleshooting) for the
  full connection status reference and escalation guidance.
</Tip>

## Related pages

<CardGroup cols={3}>
  <Card title="Reconnecting" icon="rotate" href="/platform/data-input/reconnecting">
    How to update credentials and refresh MFA forwarding.
  </Card>

  <Card title="Connection wizard" icon="wand-magic-sparkles" href="/platform/data-input/connection-wizard">
    Full walkthrough of the connection setup flow.
  </Card>

  <Card title="Troubleshooting" icon="wrench" href="/platform/data-input/troubleshooting">
    All connection statuses, upload issues, and when to contact support.
  </Card>

  <Card title="Invitations" icon="paper-plane" href="/platform/data-input/invitations">
    Delegate reconnect and MFA setup to account owners.
  </Card>

  <Card title="Uploads" icon="file-arrow-up" href="/platform/data-input/uploads">
    Upload bills directly — the simplest alternative to MFA.
  </Card>

  <Card title="MFA integration (developers)" icon="code" href="/developer-guide/mfa-integration">
    API-level MFA handling, webhooks, and the recommendation ladder.
  </Card>
</CardGroup>
