In late Q1 2026, Marriott rolled out a substantial authentication overhaul on Marriott Global Source (MGS), the company's internal portal for associates and managers. The update targeted unauthorized use of insider rate codes — specifically MMP, MMA, and MMF — that had been issued by compromised or fraudulent employee accounts.

The change didn't make headlines outside the loyalty community, but it materially reshaped the third-party "Marriott deal" ecosystem.

What actually changed

Three things, broadly:

  • Multi-factor authentication is now mandatory for all MGS logins. Associates need a registered device to issue any F&F authorization.
  • Authorization patterns are now monitored. If an associate suddenly issues 30 authorizations in a week (when their typical pattern is 2–3), the system flags the account for review.
  • Authorizations from outside the associate's usual geography — say, an MGS login from a country the associate has never logged in from — now trigger additional verification.

None of these are revolutionary security measures. They're standard for enterprise systems. The interesting part is that Marriott had been operating without them on a system that was issuing real, discount-bearing rate codes.

Why it matters

Prior to the update, a number of grey-market resellers had been issuing F&F authorizations through compromised employee credentials — accounts whose passwords had been bought, sold, or shared in private forums. The new authentication makes that almost impossible: even with the password, you'd need the registered device.

The result is that the legitimate-vs-illegitimate divide in the Marriott F&F space sharpened significantly. Services that worked with actual, active, in-good-standing employees kept operating without much friction. Services that didn't — went dark or pivoted to other chains.

What it means for guests

If you're booking a Marriott F&F stay in 2026, three practical changes:

  1. Quote turnaround is sometimes slower. Authorizations now go through more verification steps, so a quote that took 5 minutes in 2024 might take 15–30 minutes today.
  2. Last-minute bookings are harder. If your check-in is within 48 hours, the authorization might still go through, but expect longer lead times than pre-2026.
  3. Some properties are tighter than others. Resort and luxury properties (Ritz-Carlton, St. Regis, EDITION) tightened their internal allocation review most. Select-service brands (Courtyard, Fairfield) saw less change.

For the actual stay experience, nothing changed. The reservation still comes from Marriott directly, in your name, with full Bonvoy earning. You check in normally.

The bottom line

The MGS update is good for the legitimate part of this market. It removed a layer of grey-market noise that had been undercutting both Marriott's program rules and the reliability of bookings for end guests. The services still operating in 2026 are, by necessity, the ones working within program rules — which makes the rate codes more reliable, not less.

If you've been hesitant to book a Marriott F&F rate through a third party post-update, the rule of thumb is straightforward: ask whether the service issues confirmation emails directly from Marriott (not from the service itself). If yes, your reservation is real. If no, it's not.

See how Hotel Insider books MMP, MMA, and MMF rates →