home

MinistryPlatform

RealmRealm AccountingMinistryPlatformGivingPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsite
RealmRealm AccountingMinistryPlatformGivingPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsite

What would you like to know more about?

Show Contents

Show Page Sections

thumbnailMinistryPlatform

System Administration

Multi-Factor Authentication

Multi-factor Authentication (MFA) requires a user to receive a code through email or text to complete authentication. This is a great way to keep your sensitive data secure! We recommend you enable multi-factor authentication after you adequately prepare users for the new process.

  • You can require multi-factor authentication for all users or just certain users. So even if you don't require multi-factor authentication for everyone, you can require it for specific users. Which specific users? That's up to you! For example, you may decide that staff users should be required to use MFA.
  • Multi-factor authentication is device-specific. So, if a user is enjoying the Platform on their desktop and mobile device, they'll need to complete multi-factor authentication on both devices.
  • Multi-factor authentication is universal across applications that use Simple Sign-on. Once a user sets up their device with multi-factor authentication, they can log in to the Platform, Widgets, and Life Apps without setting it up again.
  • You can set the length of time between multi-factor authentication logins. At deployment, the default is 30 days, but you can pick a different number of days or require it with every login.
  • If a code expires or the user enters it incorrectly, they can request a new code and try again.

MFA and the Keep Me Logged In Option

Users are only prompted to complete multi-factor authentication when they log in. If they select to stay logged in on their device, they will not be asked to log in again for 90 days (by default). Therefore, they will not be prompted for MFA verification on that device for as long as their session remains active.

For example, let's say our instance has MFA enabled and the default values for our tokens.
  • If the user selects Keep me logged in when they enter their email and password, they will be asked to enter their MFA code for verification. They will not be prompted to log in again for 90 days unless they log out or clear their browser cookies. Since users are only required to complete MFA when logging in, they will not be asked for MFA verification for as long as their session remains active.
  • If the user does not select to stay logged in when they enter their email and password, they will still be asked to enter their MFA code for verification. The next day when they want to work in the Platform, they will be required to log in again. However, they will not be asked to complete the MFA step because it's only required every 30 days.

User Walkthrough

If you enable MFA, users will see a familiar multi-factor authentication flow:

  • The user logs in using their email, mobile phone, or username and password.
  • They'll be asked whether to receive their authentication code through text or email.
    Note: The user's Contact record controls the code delivery methods that are available. If they don't have a mobile phone number, they will not see the text message option.
  • Within 15 seconds of clicking Send Verification Code, the user receives a six-digit code through their selected method.
    Note: The Platform sends messages and logs them in the Message Log.
  • On the login screen, they'll enter their code in the corresponding text box. This page also displays a ten-minute countdown clock for the user to enter their code.
  • When they authenticate, the user can also select Keep me logged in on this device. Configure the number of days to keep users logged in on the Domain/Accounts page.
  • If the code expires or the user enters it incorrectly, they can request a new code and try again.

Add a Default Outbound SMS Number

  • You must configure the default outbound SMS number.
You must configure a default outbound SMS numbers so you can send the MFA text message. The MFA verification text sends from your default Outbound SMS number.
  1. Go to Communications > Outbound SMS Numbers.
  2. If you have an existing Outbound SMS Number, edit the record. Otherwise, click New to add one.
  3. If needed, add a Number Title.
  4. If needed, add the SMS Number.
  5. Set Active to Yes.
  6. Set Default to Yes.
  7. Click Save.

Enable Multi-Factor Authentication

Note: Leave the MPAdmin's User record as MFA Required set to No to save yourself future headaches.
  1. Go to System Setup > Domains/Accounts.
  2. If not completed, add your SMS Server Username. This is your Twilio account SID and is required to provide verification codes through text.
  3. Set MFA Remember Days. This is the number of days MinistryPlatform remembers a device. This controls whether a user has to perform the second step of entering a code if they are required to authenticate.
    Setting this value to "0" requires multi-factor authentication with every login.
    Note: This value is only related to multi-factor authentication. It does not control when the user's Platform session expires. That's determined by the Keep Me Logged In option when the user authenticates (default is 90 days) or the browser cookie (default is 4 hours of inactivity).
  4. Confirm there is a MFA Verification Email Template. We've included a template at deployment.
  5. Confirm there is a MFA Verification Text Template. We've included a template at deployment.
  6. Click Save.

MFA Message Customization

  • You can customize the MFA Verification Email Template for your church. This template must include the [Code] token. Contact Page merge fields are supported, so personalize that message!
  • You can also customize the MFA Verification Text Template. This one must include the [Code] token.
  • You can even customize the messages and buttons! To make changes, go to System Setup > Application Labels and update the appropriate label(s). Note that you are responsible for all translations if the default is not used. Here are a few of the relevant Application Labels:
    • oauth.mfaDescription: The statement users see when they select to receive their code through email or text. The default is "How would you like to receive your two-step authentication code?".
    • oauth.mfaTryAgain: The message a user sees if they enter an expired code or enter their code incorrectly. The default is "Try Again".
    • oauth.ERR_MFA_TOKEN_ERROR: The message a user sees if they enter an expired code or enter their code incorrectly. The default is "Verification code is expired or invalid. Unable to proceed with 2-step authentication. Please try again.".

Configure MFA for All Users

  1. Complete the general configuration steps.
  2. In the navigation menu, click System Setup > Domains/Accounts.
  3. Set MFA Required to Yes.
  4. Click Save.

Configure MFA for Individuals

  1. Complete the general configuration steps.
  2. In the navigation menu, click Administration > Users.
  3. Open the record for the user you want to enable multi-factor authentication for.
    Tip: Use that assign button (carefully!) to turn on multi-factor authentication for a group of users, such as staff.
  4. Set MFA Required to Yes.
  5. Click Save.
portal
MinistryPlatform

Last updated: December 16, 2024