Multi-factor authentication, linked MCC accounts and refresh tokens

[HK]

Hello,

We are managing our customers' AdWords accounts and (most of) those accounts are linked to our MCC. The OAuth refresh token for our MCC account was generated ~4 years ago and the MCC is currently using "Standard" authentication method. All is well and working fine.

Based on the "Multi-factor authentication" changes announced in https://ads-developers.googleblog.com/2018/08/multi-factor-authentication-policy-for.html, I'm wondering if one of our linked customer accounts enables "2-Step Verification", would it be sufficient for us to also enable "2-Step Verification" for the MCC or would we have to generate another refresh token in order to make the API calls succeed again? (We are currently using v201802).

(We haven't tried the above scenario yet, but on a related note, it seems that the API error for these scenarios is "AuthorizationError.USER_PERMISSION_DENIED" in v201802 while v201806 will spit back a "AuthorizationError.TWO_STEP_VERIFICATION_NOT_ENROLLED" for the CustomerService class).

Thanks!

Hans

[Milind Sankeshware (AdWords API Team)]

Hi Hans,

If the client account enables the "2-Step verification" then the google account of the user who is accessing this account should also be setup for 2-Step verification. In this case, the user on the MCC account who is accessing the client account should have the specific google account setup for 2-Step verification. It is not required to generate a new refresh token. The error TWO_STEP_VERIFICATION_NOT_ENROLLED is expected from V201806 onward if you are using a lower version, you might see a USER_PERMISSION_DENIED error.

Let me know if you have any additional questions.

Thanks,
Milind, AdWords API Team

[HK]

Thanks, Milind. That was the answer I was hoping for. Makes it easier for us to go to 2-Step without invalidating existing accounts.

Hans