Multi-factor authentication
What is multi-factor authentication?
Multi-factor authentication offers a more secure login process in which a user is only granted access after successfully giving two or more pieces of evidence or factors. The use of multiple authentication factors to prove identity is based on the premise that an unauthorised person is unlikely to be able to supply all the factors required. If at least one of the factors is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the system remains blocked.
Multi-factor authentication confirms a user's claimed identity (their username) using two further factors - something they know i.e. a user-controller password and something they have i.e. a one-time passcode generated on a device, such as a smartphone, that only the user possesses.
ChurchSuite users can enable Multi-Factor Authentication to increase login security. Once enabled, those accessing ChurchSuite within a browser or app environment, in addition to their username and user-controlled password, will be required to enter a Multi-Factor Authentication code generated on their device as the second authentication step.
There are many excellent one-time passcode generator apps available for mobile devices. Once a user's app has been "paired" with a ChurchSuite user account, the app will generate one-time passcodes. One-time passcodes are only valid for a short time - typically 30 seconds - and then the code expires and a new code is generated. Only the "paired" device can supply the latest, timely passcode required during the login process.
There are also many desktop applications available that manage passwords and multi-factor authentication, like 1Password, or browser extensions, like Authenticator for Google Chrome. Most of these applications have a built-in QR reader, so a smartphone is not necessary. Note that physical authentication devices, like Yubikey, are not supported.
Enabling Multi-Factor Authentication on your user profile
Users and Administrators self-enable Multi-Factor Authentication for their user account, although any Administrator can disable Multi-Factor Authentication for another User. The workflow for either a User or an Administrator is as follows: -
From the user menu (in the top-right corner of ChurchSuite) select your user account from the drop-down (located just above the Log out option).
When viewing your user account click Enable Multi-Factor Authentication.
The Enable Multi-Factor Authentication pop-up opens showing a QR Code. Follow the instructions for your preferred Multi-Factor Authentication app to scan the QR code - this will generate the first one-time passcode. Note that the app may require permission to access your device's camera - you will not be able to scan the QR code unless you "allow" the app to access your device's camera. Enter the 6-digit code generated by the app into the box shown above and click Save to complete the process of pairing your user account with your authentication app.
Your user profile now shows that Multi-Factor Authentication has been enabled by showing a Disable Multi-Factor Authentication option. You, or an Administrator user on your behalf, can return to the User View should you need to Disable Multi-Factor Authentication. (Note that to disable Multi-Factor Authentication, the user doing so will need to use the password associated with the logged in ChurchSuite account.)
With Multi Factor Authentication enabled, when logging into ChurchSuite through a web browser or app, and after entering your username and password, you'll be presented with an additional login step to Enter your multi-factor authentication code. Even if your username and password were compromised, your user account remains secure because the authentication code can only be obtained from a device in your possession.