What is multi-factor authentication?
Multi-Factor Authentication is a more secure login authentication process in which a user is granted access only after successfully presenting two or more pieces of evidence or factors. The use of multiple authentication factors to prove identity is based on the premise that an unauthorised person is unlikely to be able to supply all the factors required. If at least one of the factors is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the system remains blocked.
Multi-Factor Authentication confirms a user's claimed identity (their username) using two further factors - something they know e.g. a user-controller password and something they have e.g. a one-time passcode generated on a device, such as a smartphone, that only the user possesses.
ChurchSuite users can optionally enable Multi-Factor Authentication to increase login security. Once enabled, those accessing ChurchSuite within a browser or app environment; in addition to their username and user-controlled password, will be required to enter a Multi-Factor Authentication code generated on their device as a second authentication step.
There are many excellent one-time passcode generator apps available for mobile devices. Once a user's app has been "paired" with a ChurchSuite user account, the app will generate one-time passcodes. One-time passcodes are only valid for a short time - typically 30 seconds - and then the code expires and a new code is generated. Only the "paired" device can supply the latest, timely passcode required during the login process.
There are also many desktop applications available that manage passwords and multi-factor authentication, like 1Password, or browser extensions, like Authenticator for Google Chrome. Most of these applications have a built-in QR reader, so a smartphone is not necessary.
Note that physical authentication devices, like Yubikey, aren't supported.
Enabling Multi-Factor Authentication on your user profile
Users and Administrators enable Multi-Factor Authentication on their user account - an Administrator cannot enable Multi-Factor Authentication for another User, although they can disable Multi-Factor Authentication for other Users. The workflow for each User or Administrator is as follows: -
From the User menu (in the top-right corner of ChurchSuite) select your user account from the drop-down (located just above the Log out option). When viewing your user account click Enable Multi-Factor Authentication.
The Enable Multi-Factor Authentication pop-up opens showing a QR Code. Follow the instructions for your preferred Multi-Factor Authentication app to scan the QR code - this will generate the first one-time passcode. Note that the app may require permission to access your device's camera - you will not be able to scan the QR code unless you "allow" the app to access your device's camera. Enter the 6-Digit Code generated by the app into the box shown above and click Save to complete the process of pairing your user account with your authentication app.
Your user profile now shows that Multi-Factor Authentication has been enabled by showing a Disable Multi-Factor Authentication option. You, or another Administrator user on your behalf, can return here at any time to Disable Multi-Factor Authentication if you need to.
In future, when logging into ChurchSuite through a web browser or app, and after entering your username and password, you'll have an additional login step to Enter your multi-factor authentication code. Even if your username and password were compromised, your user account remains secure because the authentication code can only be obtained from a device in your possession.