Multi-factor Authentication (MFA)
MFA is an authentication method that requires users to identify themselves with two or more pieces of evidence, or factors, when they sign in. The main types of factors are:
-
Knowledge — Something you know, such as such as a password.
-
Possession — Something you have, such as a code sent to a personal device.
-
Inherence — Something you are, such as facial recognition.
MFA is the most effective way to increase the security of your account and prevent others from accessing your personal data. Requiring an additional factor for authentication beyond a password significantly increases the costs for attackers and drastically reduces the rate of compromised accounts.
If you use Blackbaud's authentication service to sign in to your Blackbaud ID with your email address and password, then we strongly recommend that you increase security by enabling MFA. Blackbaud is rolling out MFA enforcement on a solution-by-solution basis.
When you sign in after MFA is enabled, you must provide a unique confirmation code along with your email address and password. You can receive confirmation codes using a mobile authenticator app or text messages:
-
Mobile Authenticators are the most secure method. Unlike text messages, you can receive confirmation codes even if your device is offline or doesn't have cellular service.
-
For text messages on your mobile phone, standard messaging rates apply.
The extra layer of security from MFA means that even if someone obtains your email address and password, they still need a confirmation code to access sensitive data and account information through your Blackbaud ID.
When you enable MFA, you receive:
-
A six-digit confirmation code on your personal device to confirm your identity.
-
A 24-digit recovery code to access your account if you lose your personal device or can't receive confirmation codes.
For solutions where Blackbaud doesn't enforce MFA, individual users decide whether to turn on MFA. Admins don't control this decision. For admins to enforce MFA, they must establish a Single Sign-on connection and manage MFA through that connection.
-
If necessary, download and install a mobile authenticator app on your personal device. For more information, see Mobile Authenticators.
-
On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Turn on MFA.
-
Select Mobile authenticator app (most secure) and then select Next.
-
To confirm your Blackbaud ID, scan the quick response (QR) code or enter the 16-character code in your mobile authenticator.
-
Within five minutes, enter the confirmation code that you receive on your device and then select Next.
To not require a confirmation code on the same device and browser for 30 days, select Remember this browser.
-
Save the recovery code and select I saved my recovery code to confirm that you saved it. You need the recovery code if you lose your device or can't receive confirmation codes for some other reason.
-
Select Turn on multi-factor authentication to complete the process.
To set up MFA without using a mobile phone, follow the steps in the previous section to enable MFA through a mobile authenticator and leverage an authenticator app that pairs with a hardware token. For example, you can leverage hardware such as a YubiKey and the Yubico Authenticator app. For details on how to set up a Yubikey to work with Yubico Authenticator, see Using Your YubiKey with Authenticator Codes.
-
On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Turn on MFA.
-
Select SMS text messages and then select Next.
-
Enter the phone number to receive confirmation codes and select Next.
-
Within five minutes, enter the confirmation code that you receive on your phone and then select Next.
To not require a confirmation code on the same device and browser for 30 days, select Remember this browser.
-
Save the recovery code and select I saved my recovery code to confirm that you saved it. You need the recovery code if you lose your phone or can't receive confirmation codes for some other reason.
-
Select Turn on multi-factor authentication to complete the process.
To change the device that receives confirmation codes or to change whether to receive codes through a mobile authenticator app or text messages, you must reset MFA.
-
On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Manage, Change setup.
-
On the confirmation dialog, select Change setup to reset your MFA settings.
-
On the Blackbaud ID setup screen to enable MFA, set up MFA again by selecting to receive confirmation codes through a mobile authenticator app or text messages and then setting up and confirming the device that will receive confirmation codes.
To not require the confirmation code on a personal device you frequently use, select Remember this browser when you sign in on that device. When you select this, your Blackbaud ID:
-
Recognizes the same device and browser for 30 days and won't ask for a confirmation code during that time.
-
Requires a confirmation code to confirm your identity on other devices and browsers, as well as in incognito or private sessions on the same device and browser.
For security, don't select Remember this browser on a public device used by others.
When you enable MFA, you get a 24-digit recovery code to access your account if you lose your personal device or can't receive text messages. If you lose this recovery code, you can request a new one.
-
On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Manage, New recovery code.
-
To reset your recovery code, select Reset.
-
Save the recovery code in a secure location, and select Close.
A recovery phone number ensures that you are never locked out of your Blackbaud account. It backs up the 24-digit recovery code that you get when you set up MFA. If you can't receive confirmation codes and don't have your recovery code, you can use the recovery phone number to sign in and reset MFA. This option is only available if you use a mobile authenticator app to receive confirmation codes.
If you use a mobile authenticator app, you are prompted to add a recovery phone number after you sign in. Enter a mobile phone number that you can use as a backup if you lose your recovery code. Your recovery phone number then appears on your Blackbaud ID profile under Multi-factor authentication.
To edit your recovery phone number:
-
On your Blackbaud ID profile, select the edit button for Multi-factor authentication.
-
Under Recovery phone number, select Edit.
-
On the page that appears, enter a mobile phone number and select Continue.
If you can't receive confirmation codes for any reason, such as losing the personal device that receives them, you can use your recovery code to access your Blackbaud account:
-
On the Blackbaud ID sign-in page, enter your email address and password, and select Sign in.
-
On the page that prompts you for your 6-digit MFA confirmation code, select Need help?.
-
To access the recovery code page, select I don't have access to my multi-factor authentication device.
-
Enter your 24-digit recovery code and select Continue.
-
Save the new recovery code, and select I saved my recovery code to confirm that you saved it. This new code replaces the one you just used.
-
Select Sign in. Your Blackbaud account appears, and you can go to your profile to update MFA settings as necessary.
Tip: If you don't have your recovery code but you authenticate through a mobile authenticator app and set up a recovery phone number, you can use your recovery phone number to access your Blackbaud account and reset MFA:
-
On the Blackbaud ID sign-in page, enter your email address and password, and select Sign in.
-
On the page that prompts you for your 6-digit MFA confirmation code, select Need help?.
-
To access the recovery code page, select I don't have access to my multi-factor authentication device.
-
Select Don't have your recovery code? A page to confirm your identity appears.
-
On the first tab, enter the 6-digit code that was sent to your Blackbaud ID email address, and select Next.
-
On the second tab, enter the 6-digit code that was texted to your recovery phone number, and select Next.
-
On the third tab, select Set up MFA to reset MFA. Your Blackbaud account appears, and you can go to your profile to create a new recovery code and update your MFA settings as necessary.
If you enable MFA, you can disable it to change settings or when you can't receive text messages. However, if Blackbaud enforces MFA or your organization enforces MFA through Single Sign-on, you can't disable MFA.
-
On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Manage, Disable. If you don't have this option, then MFA is enforced and you can't disable it.
-
To confirm, select Disable.
-
Enter the confirmation code that you receive at your email address and then select Disable.
For solutions to common issues, see the multi-factor authentication FAQ.