What would you like to know more about?

Show Page Sections

Multi-Factor Authentication

Multi-factor Authentication (MFA) requires a User to receive a code through email or text to complete authentication. This is a great way to keep your sensitive data secure! We recommend you enable multi-factor authentication after you adequately prepare Users for the new process.

  • You can require multi-factor authentication for all Users or just certain Users. So even if you don't require multi-factor authentication for everyone, you can require it for specific Users (for example, staff). Which specific Users? Totally up to you!
  • Multi-factor authentication is device-specific. Enjoying the Platform on your desktop and your mobile device? You'll need to log in using multi-factor authentication on both devices.
  • Multi-factor authentication is universal across applications that use Simple Sign-on. Once you set up your device with multi-factor authentication, you can log in to the Platform, Widgets, and Life Apps without setting it up again.
  • You can set the length of time between multi-factor authentication logins. At deployment, this sets to 30 days, but you can pick a different number of days or require it with every login.
  • If a code expires or the User enters it incorrectly, they can request a new code and try again.

User Walkthrough

If you enable multi-factor authentication, they'll see a familiar multi-factor authentication flow:

  • The User logs in using their email, mobile phone, or username and password.
  • They'll then be asked whether to receive their authentication code through text or email.
    Note: The User's Contact record controls the code delivery methods available. No mobile phone number? No text message option.
  • Within fifteen seconds of clicking Send Verification Code, the User receives a six-digit code through their selected method.
    Note: The Platform sends messages and logs them in the Message Log.
  • On the login screen, they'll enter their code in the corresponding text box. This page also displays a ten-minute countdown clock for the User to enter their code.
  • When they select Enter, the User can also select Remember this device for [X] days. Configure the [X] value on the Domain/Accounts page.
  • If a code expires or the User enters it incorrectly, they can request a new code and try again.

Add a Default Outbound SMS Number

  • You must configure the default outbound SMS number.
You must configure a default outbound SMS numbers so you can send the MFA text message. The MFA verification text sends from your default Outbound SMS number.
  1. Go to Communications > Outbound SMS Numbers.
  2. If you have an existing Outbound SMS Number, edit the record. Otherwise, click New to add one.
  3. If needed, add a Number Title.
  4. If needed, add the SMS Number.
  5. Set Active to Yes.
  6. Set Default to Yes.
  7. Click Save.

Enable Multi-Factor Authentication

Note: Leave the MPAdmin's User record as MFA Required set to No to save yourself future headaches.
  1. Go to System Setup > Domains/Accounts.
  2. If not completed, add your SMS Server Username. This is your Twilio account SID and is required to provide verification codes through text.
  3. Set MFA Remember Days. This is the number of days MinistryPlatform remembers a device.
    Setting this value to "0" requires multi-factor authentication with every login.
  4. Confirm there is a MFA Verification Email Template. We've included a template at deployment.
  5. Confirm there is a MFA Verification Text Template. We've included a template at deployment.
  6. Click Save.

MFA Message Customization

  • You can customize the MFA Verification Email Template for your church. This template must include the [Code] token. Contact Page merge fields are supported, so personalize that message!
  • You can also customize the MFA Verification Text Template. This one must include the [Code] token.
  • You can even customize the messages and buttons! To make changes, go to System Setup > Application Labels and update the appropriate label(s). Note that you are responsible for all translations if the default is not used. Here are a few of the relevant Application Labels:
    • oauth.mfaDescription: The statement users see when they select to receive their code through email or text. The default is "How would you like to receive your two-step authentication code?".
    • oauth.mfaTryAgain: The message a user sees if they enter an expired code or enter their code incorrectly. The default is "Try Again".
    • oauth.ERR_MFA_TOKEN_ERROR: The message a user sees if they enter an expired code or enter their code incorrectly. The default is "Verification code is expired or invalid. Unable to proceed with 2-step authentication. Please try again.".

Configure MFA for All Users

  1. Complete the general configuration steps.
  2. In the navigation menu, click System Setup > Domains/Accounts.
  3. Set MFA Required to Yes.
  4. Click Save.

Configure MFA for Individuals

  1. Complete the general configuration steps.
  2. In the navigation menu, click Administration > Users.
  3. Open the record for the user you want to enable multi-factor authentication for.
    Tip: Use that assign button (carefully!) to turn on multi-factor authentication for a group of users, such as staff.
  4. Set MFA Required to Yes.
  5. Click Save.