CONTACT USBack to MinistryPlatform Site
Your Knowledge Base has moved to the new Help Center.  Check out the release notes for details. And don't forget to update your bookmarks and in-house documentation before May 28.

Multi-Factor Authentication

 

With Multi-factor Authentication (MFA) enabled, a User can receive a code via email or text to complete authentication. We think this is a great way to keep your very sensitive data secure! And we recommend enabling multi-factor authentication after adequately preparing Users for the new process.

Basics

  • You can configure multi-factor authentication to be required for all users or just certain users. So even if you don't require multi-factor authentication for everyone, you can require it for specific Users (for example, staff).
  • Multi-factor authentication is device-specific. Enjoying the next generation of the Platform on your desktop and your mobile device? You'll need to log in using multi-factor authentication on both devices.
  • Multi-factor authentication is universal across applications that use Simple Sign-On. So once your device is set up with multi-factor authentication, you can log in to the Platform, Widgets, and LifeApps without setting it up again.
  • You can set the length of time between multi-factor authentication logins. At deployment, this will be set to 30 days, but you can pick a different number of days or require it with every login. Note: The "Keep Me Logged In" period takes precedence over MFA "Remember Days", so if a user is still logged in using this method, MFA will not apply.
  • If a code is expired or entered incorrectly, User is given the option to ‘Try Again’ and can request a new code

User Walkthrough

If you've enabled multi-factor authentication for all or some Users, they'll be presented with a familiar multi-factor authentication flow:

  • User logs in using their email, mobile phone, or username and password.
  • They'll then be asked whether they'd like to receive their authentication code via text or email. Note: The code delivery methods available are controlled by the User's Contact record. No mobile phone number? No text message option.
  • Within fifteen seconds of clicking "Send Verification Code," the User will be sent a six-digit code via their selected method. Note: Messages are sent via the Platform and logged in the Message Log.
  • On the login screen, they'll see a text box to enter their code. This page also displays a 10-minute countdown clock for the User to enter their code.
  • When selecting "Enter", the User can also select "Remember this device for [X] days." The "[X]" is determined by the value configured on the Domain/Accounts page.
  • If a code is expired or entered incorrectly, the User is given the option to ‘Try Again’ and can request a new code.

Configuration

    General Configuration

    Required: Configure Default Outbound SMS Number

    If you don't have a default outbound SMS number configured, you'll need to set that up so the MFA text message can be sent. The MFA verification text will be sent from your default Outbound SMS number.

    1. Communications > Outbound SMS Numbers.
    2. If you have an existing Outbound SMS Number > Edit.
    3. Set Default to Yes.
    4. Save OR New.
    5. Add Number Title.
    6. Add SMS Number.
    7. Set Active to Yes.
    8. Set Default to Yes.
    9. Save.

    Required: Turn on MFA

    1. System Setup > Domains/Accounts.
    2.  If not completed, add your SMS Server Username. This is your Twilio account SID and is required to provide verification codes via text.
    3. Set MFA Remember Days. This is the number of days a device will be remembered. Note: Setting this value to "0" will require multi-factor authentication with every login. Also, the "Keep Me Logged In" period takes precedence over MFA "Remember Days".
    4. Confirm there is an MFA Verification Email Template. We've included a template at deployment.
    5. Confirm there is an MFA Verification Text Template. We've included a template at deployment.
    6. Save.
    Note: Leave the MP User records (e.g. MPAdmin, MPSupport, HGTSupport, etc) to MFA Required = No to save yourself future headaches! Remember, you should not edit these MP Users.

    Optional

    • Customize the MFA Verification Email Template to fit YOUR church. This template must include the [Code] token. Contact Page merge fields are supported, so personalize that message!
    • Customize the MFA Verification Text Templated to fit YOUR church. This template must include the [Code] token.
    • Customize the messages and buttons to fit YOUR church! You can change the text that appears by navigating to System Setup > Application Labels (note that churches are responsible for all translations if the default is not used). Here are just a few of the relevant Application Labels: 
      • oauth.mfaDescription - The statement Users see when selecting to receive their code via email or text. Default is "How would you like to receive your 2-step authentication code?".
      • oauth.mfaTryAgain - The message a User sees if they enter an expired code or enter their code incorrectly. Default is "Try Again".
      • oauth.ERR_MFA_TOKEN_ERROR - Message a User sees if they enter their code incorrectly or the code has expired. Default is "Verification code is expired or invalid. Unable to proceed with 2-step authentication. Please try again.".

    Multi-Factor Authentication for All Users Configuration

    1. Complete the general configuration steps above.
    2. System Setup > Domains/Accounts.
    3. Set MFA Required = Yes.
    4. Save.

    Multi-Factor Authentication for Individual Users Configuration

    1. Complete the general configuration steps above.
    2. Administration > Users.
    3. Open the record for the User you're enabling multi-factor authentication for. Pro Tip: Use that Assign button (carefully!) to turn on multi-factor authentication for a group of Users (for example, staff).
    4. Set MFA Required = Yes.
    5. Save.