Multi-factor authentication
In this article
What is multi-factor authentication?
Enabling multi-factor authentication on your user account
Enforcing multi-factor authentication for all users
What is multi-factor authentication?
Multi-factor authentication offers a more secure login process in which a user is only granted access after successfully giving two or more pieces of evidence or factors. The use of multiple authentication factors to prove identity is based on the premise that an unauthorised person is unlikely to be able to supply all the factors required. If at least one of the factors is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the system remains blocked.
Multi-factor authentication confirms a user's claimed identity (their username) using two further factors - something they know (a user-controller password) and something they have (a one-time passcode generated on a device, such as a smartphone, that only the user possesses).
ChurchSuite users can self-enable multi-factor authentication to increase their login security, or an Administrator can enforce multi-factor authentication for all users. Once enabled, those accessing ChurchSuite within a browser or app environment, in addition to their username and user-controlled password, will be challenged to Enter a multi-factor authentication code generated from their authentication app as the second authentication step.
There are many excellent one-time passcode generator apps available for mobile users. Once a user's app has been "paired" with a ChurchSuite user account, the app will generate one-time passcodes. One-time passcodes are only valid for a short time, 30 seconds, and then the code expires and a new code is generated. Only the "paired" device can supply the latest, timely passcode required during the login process.
There are also authenticator applications for desktop users that manage passwords and multi-factor authentication, like 1Password, and browser extensions like Authenticator for Google Chrome. Most of these applications have a built-in QR reader, so a smartphone is not necessary. Note that physical authentication devices, like Yubikey, are not supported.
Enabling multi-factor authentication on your user account
Users and Administrators self-enable Multi-Factor Authentication for their user account, although any Administrator can disable Multi-Factor Authentication for another User. The workflow for a User and an Administrator is as follows: -
From your User menu, select My profile.
Choose Enable Multi-Factor Authentication.
The Enable Multi-Factor Authentication pop-up opens showing a QR Code. Follow the instructions for your preferred Multi-Factor Authentication app to scan the QR code - this will generate the first one-time passcode. Note that the app may require permission to access your device camera - you will not be able to scan the QR code unless you "allow" the app to access your device camera. Enter the 6-digit code generated by the app into the box shown and click Save to complete the process of pairing your user account with your authentication app.
Your user account now shows that multi-factor authentication has been enabled by showing a Disable Multi-Factor Authentication option. You or an Administrator user on your behalf, can return to your User account View to Disable Multi-Factor Authentication. Note that disabling multi-factor authentication will require entry of the logged-in user's or administrator's password. Additionally, if enforced multi-factor authentication is enabled (see below), the user will be required to set up multi-factor authentication again when they next log in - multi-factor authentication cannot be permanently disabled if enforced authentication is enabled for all users.
With multi-factor authentication enabled, when logging into ChurchSuite through a web browser or app, and after entering your username and password, you'll be presented with an additional login step to Enter your multi-factor authentication code. Even if your username and password were compromised, your user account remains secure because the authentication code can only be obtained from a device in your possession.
Enforcing multi-factor authentication for all users
Before enabling enforced multi-factor authentication, you may wish to alert existing users so that the additional security measure is understood and expected, and so they can have a suitable authenticator app installed for their device. Once enforced, users and administrators cannot log in until they have completed the set-up of multi-factor authentication.
In the Account Settings, click on the Account Profile, Edit the Security setting and set "Enforce MFA for all users" to Enabled. Click to Save the security changes.
Now, as each user logs in with their username and password, those not already using multi-factor authentication will be presented with instructions to scan a QR code using their preferred Multi-Factor Authentication app. A first-time-use 6-digit code will be generated and needs to be entered to complete the process and log in. When the user next logs in via a browser or the app, they'll be asked for their password and the latest 6-digit code generated by their authentication app.
Should an Administrator need to disable multi-factor authentication for a user - perhaps if they have lost or replaced their authenticator app device, the user will be required to set up multi-factor authentication again with a new device when they next log in.
Finally, in this section, when viewing the Users list, Administrators will see an icon indicating if multi-factor authentication is enabled for that user and an Advanced Search option is provided to view lists of users with authentication enabled or disabled.