Multi-factor authentication

What is multi-factor authentication?

Multi-Factor Authentication (MFA) is a more secure login authentication process in which a user is granted access only after successfully presenting two or more pieces of evidence, or factors. The use of multiple authentication factors to prove identity is based on the premise that an unauthorised person is unlikely to be able to supply all the factors required. If at least one of the factors is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the system remains blocked.

MFA confirms a user's claimed identity (their username) using two further factors - something they know e.g. a user-controller password and something they have e.g. a one-time passcode generated on a device, such as a smart phone, that only the user possesses.

ChurchSuite users can optionally enable MFA to increase login security. When accessing ChurchSuite within a browser environment; in addition to their username and user-controlled password, they will be required to enter a MFA code generated on their device as a second authentication step.

There are many excellent one-time passcode generator apps available for mobile devices. Once a user's app has been "paired" with a ChurchSuite user account, the app will generate one time passcodes. One time passcodes are only valid for a short period of time - typically 30 seconds - and then the code expires and a new code is generated. Only the "paired" device can supply the latest, timely passcode required during the login process.

There are also many desktop applications available that manage passwords and multi-factor authentication, like 1Password, or browser extensions, like Authenticator for Google Chrome. Most of these applications have a built-in QR reader, so a smart phone is not necessary.

Note that physical authentication devices, like Yubikey, aren't supported by ChurchSuite.

ChurchSuite Apps & MFA

MFA is not used when accessing ChurchSuite via the iOS and Android ChurchSuite apps. However, in addition to using your device's inbuilt security (such as a device PIN or Touch ID), ChurchSuite is further secured by a PIN or Touch ID.

Enabling 2-Step Verification on your user profile

Users and Administrators enabled MFA on their own user account - an Administrator cannot enable MFA for another User, although they can disable MFA for other Users. The workflow for each User or Administrator is as follows: -

From the User menu (in the top-right corner of ChurchSuite), select your user account from the drop-down list (located just above the Log out option). When viewing you user account click the Enable Multi-Factor Authentication button...

The Enable Multi-Factor Authentication pop-up opens and displays a QR Code...

Follow the instructions for your preferred "Multi-Factor Authentication" app to scan the QR code - this will generate the first one time passcode. Note that the app may require permission to access your device's camera - you will not be able to scan the QR code unless you "allow" the app to access your device's camera.

Enter the 6-Digit Code generated by the app into the box shown above and click Save to complete the process of pairing your user account with your authentication app. A 'success' message is briefly displayed and your user profile now shows that MFA has been enabled by surfacing the option to Disable Multi-Factor Authentication. You can return here at any time to Disable Multi-Factor Authentication if you need to.

In future, when logging into ChurchSuite through a web browser, and after entering/selecting your username and password, you'll have an additional login step to Enter your multi-factor authentication code. Even if your username and password were compromised, your user account would remain secure because the authentication code can only be obtained from a device in your possession.

Still need help? Contact ChurchSuite Contact ChurchSuite