Multi-Factor Authentication (Feature Overview)

Introduction

Multi-Factor Authentication (MFA) is a security-enhancing practice of requiring a person to perform more than one step, beyond email and password, for example, when logging into a system. ShulCloud offers two additional step options, plus the ability for admins to specify which of those options are available or required based on whether the person is an admin or non-admin. Both options require the person to enter a valid verification code in order to complete MFA and successfully log into ShulCloud. Other actions, such as a person resetting their password, also trigger MFA. Login and password related admin actions on non-admin accounts do not trigger MFA (such as log in as Account Primary).

Audience

This increased security feature will be important to understand by ShulCloud Administrators.

Use Cases

MFA can be implemented in order to increase security to your ShulCloud site and data. ShulCloud admins can decide to implement MFA for admins only or for all site users (non-admins).

Before You Begin

Before you begin, you will want to:

• Review MFA Settings
• Decide who will be required to use MFA (admins and/or non-admins)
• Understand the two verification options (Email or Authentication App)

Topics  

• MFA Settings
  Understand the settings available.
    
• Verification via Email
  Receiving a verification code via Email

• Verification via Authentication App
  Receiving a verification code via an Authentication App

MFA Options and Tools

Audit Log

When a second factor is used to complete a log in, that second factor will be recorded in the audit log along with the previously recorded method (such as email/password or login link).

Code Emails

• Emails are sent from no-reply@shulcloud.com; you can include an email contact in your help text in MFA Settings if desired (the same that shows on MFA screens).
  
  
• Email subject is ShulCloud Verification Code (Site Name)

Login Links

If a person is required to complete MFA, after clicking a Login Link and providing email address and password, MFA will be required, unless the device is remembered. The Login Link provides the first authentication step but not the second, if a second is required per MFA Settings.

Log in as User

Admins with sufficient permission can still log in from the People page as other people, no MFA required. Likewise, functions like account lookups on forms and the payment page are not changed by MFA.

Remember Me

If in MFA settings the "remember me" option is set to a number greater than zero, after the person completes MFA, the person will be offered the option to remember the device. If the person chooses to remember the device, the person will not be asked to complete MFA again during subsequent logins during the stated period.

Troubleshooting

Try Another Way

If a site allows more than one mode of authentication, the person can choose to use another; for example, a person who uses Authenticator could use email if the registered device is not available.

1. Person clicks "Try another way" link on the code entry screen.
2. Person chooses a different authentication mode.
3. Person completes authentication the other way.

I Need Human Help

If a person has no access to any mode of authentication, the person can activate this option that will deliver a code via email to admins with the "Special: Change Password, Login as other Member" permission.

1. The person checks the "I need human help to enter verification code (office hours only)" checkbox before submitting email address and password.
2. The system emails a verification code to admins with the password permission noted above.
3. The admin communicates the verification code to the person.

Related Resources

• Multi-Factor Authentication Verification Mode: Email (Topic)
• Multi-Factor Authentication Verification mode: Authentication App (Topic)
• Multi-Factor Authentication Settings (Overview & Reference)
• Multi-Factor Authentication: Authenticator App (Overview)