home

MinistryPlatform

RealmRealm AccountingMinistryPlatformeGivingPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsite
RealmRealm AccountingMinistryPlatformeGivingPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsite

What would you like to know more about?

Show Contents

Show Page Sections

thumbnailMinistryPlatform

System Administration

Multi-Factor Authentication

Multi-factor Authentication (MFA) allows a User to receive a code through email or text required to complete authentication. We think this is a great way to keep your very sensitive data secure! And we recommend enabling multi-factor authentication after adequately preparing Users for the new process.

  • You can configure multi-factor authentication to be required for all users or just certain users. So even if you don't require multi-factor authentication for everyone, you can require it for specific Users (for example, staff). Which specific Users? Totally up to you!
  • Multi-factor authentication is device-specific. Enjoying the Platform on your desktop and your mobile device? You'll need to log in using multi-factor authentication on both devices.
  • Multi-factor authentication is universal across applications that use Simple Sign-On. So once your device is set up with multi-factor authentication, you can log in to the Platform, Widgets, and Life Apps without setting it up again.
  • You can set the length of time between multi-factor authentication logins. At deployment, this will be set to 30 days, but you can pick a different number of days or require it with every login.
  • If a code is expired or entered incorrectly, the user is given the option to try again and can request a new code.

User Walkthrough

If you've enabled multi-factor authentication for all or some users, they'll be presented with a familiar multi-factor authentication flow:

  • User logs in using their email, mobile phone, or username and password.
  • They'll then be asked whether they'd like to receive their authentication code through text or email.
    Note: The code delivery methods available are controlled by the User's Contact record. No mobile phone number? No text message option.
  • Within fifteen seconds of clicking Send Verification Code, the User will be sent a six-digit code through their selected method.
    Note: Messages are sent through the Platform and logged in the Message Log.
  • On the login screen, they'll see a text box to enter their code. This page also displays a ten-minute countdown clock for the user to enter their code.
  • When selecting Enter, the User can also select Remember this device for [X] days. The [X] is determined by the value configured on the Domain/Accounts page.
  • If a code is expired or entered incorrectly, the User is given the option to try again and can request a new code.

Configuration

  • You must configure the default outbound SMS number.
If you don't have a default outbound SMS number configured, you'll need to set that up so the MFA text message can be sent. The MFA verification text will be sent from your default Outbound SMS number.
  1. Go to Communications > Outbound SMS Numbers.
  2. If you have an existing Outbound SMS Number, edit the record. Otherwise, click New to add one.
  3. If needed, add a Number Title.
  4. If needed, add the SMS Number.
  5. Set Active to Yes.
  6. Set Default to Yes.
  7. Click Save.

Enable Multi-Factor Authentication

Note: Leave the MPAdmin's User record as MFA Required set to No to save yourself future headaches.
  1. Go to System Setup > Domains/Accounts.
  2. If not completed, add your SMS Server Username. This is your Twilio account SID and is required to provide verification codes through text.
  3. Set MFA Remember Days. This is the number of days a device is remembered.
    Setting this value to "0" will require multi-factor authentication with every login.
  4. Confirm there is a MFA Verification Email Template. We've included a template at deployment.
  5. Confirm there is a MFA Verification Text Template. We've included a template at deployment.
  6. Click Save.

Optional

  • You can customize the MFA Verification Email Template for your church. This template must include the [Code] token. Contact Page merge fields are supported, so personalize that message!
  • You can also customize the MFA Verification Text Template. This one must include the [Code] token.
  • You can even customize the messages and buttons! To make changes, go to System Setup > Application Labels and update the appropriate label(s). Note that you are responsible for all translations if the default is not used. Here are a few of the relevant Application Labels:
    • oauth.mfaDescription: The statement users see when selecting to receive their code through email or text. The default is "How would you like to receive your two-step authentication code?"
    • oauth.mfaTryAgain: The message a user sees if they enter an expired code or enter their code incorrectly. The default is "Try Again."
    • oauth.ERR_MFA_TOKEN_ERROR: Message a user sees if they enter their code incorrectly or the code has expired. The default is "Verification code is expired or invalid. Unable to proceed with 2-step authentication. Please try again."

MFA for All Users Configuration

  1. Complete the general configuration steps.
  2. Go to System Setup > Domains/Accounts.
  3. Set MFA Required to Yes.
  4. Click Save.

MFA for Individual Users Configuration

  1. Complete the general configuration steps.
  2. Go to Administration > Users.
  3. Open the record for the user you're enabling multi-factor authentication for.
    Tip: Use that assign button (carefully!) to turn on multi-factor authentication for a group of users (for example, staff).
  4. Set MFA Required to Yes.
  5. Click Save.
MinistryPlatform
portal

Last updated: May 17, 2024