Multi-factor Authentication (MFA)

If you use your email address and password to sign in to your Blackbaud ID through Blackbaud's authentication service and Blackbaud doesn't enforce MFA, then we strongly recommend that you increase security by enabling MFA yourself. Blackbaud enforces MFA on our solutions because it's the most effective measure to increase security, but the optimal authentication for customers is to enforce MFA through a Single Sign-on connection.

What is MFA?

MFA is an authentication method that requires users to identify themselves with two or more pieces of evidence, or factors, when they sign in. The main types of factors are:

  • Knowledge — Something you know, such as such as a password.

  • Possession — Something you have, such as a code sent to a personal device.

  • Inherence — Something you are, such as facial recognition.

Why is MFA important?

MFA is the most effective way to increase the security of your account and prevent others from accessing your personal data. Requiring an additional factor for authentication beyond a password significantly increases the costs for attackers and drastically reduces the rate of compromised accounts.

If Blackbaud doesn't enforce MFA for you, then then we strongly recommend that you increase security by enabling MFA.

How does MFA work with Blackbaud ID?

When you sign in after MFA is enabled, you must provide a unique confirmation code along with your email address and password. Blackbaud enforces MFA on some solutions, and we recommend that you enable MFA if it isn't enforced. You can receive confirmation codes using a mobile authenticator app or text messages:

  • Mobile Authenticators are the most secure method. Unlike text messages, you can receive confirmation codes even if your device is offline or doesn't have cellular service.

  • For text messages on your mobile phone, standard messaging rates apply.

The extra layer of security from MFA means that even if someone obtains your email address and password, they still need a confirmation code to access sensitive data and account information through your Blackbaud ID.

When you enable MFA, you receive:

  • A six-digit confirmation code on your personal device to confirm your identity.

  • A 24-digit recovery code to access your account if you lose your personal device or if you can't receive confirmation codes for any other reason.

If Blackbaud doesn't enforce MFA, individual users decide whether to turn on MFA. Admins don't control this decision. For admins to enforce MFA, they must establish a Single Sign-on connection and manage MFA through that connection.

  1. If necessary, download and install a mobile authenticator app on your personal device. For more information, see Mobile Authenticators.

  2. On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Turn on MFA.

  3. Select Mobile authenticator app (most secure) and then select Next.

  4. To confirm your Blackbaud ID, scan the quick response (QR) code or enter the 16-character code in your mobile authenticator.

  5. Within five minutes, enter the confirmation code that you receive on your device and then select Next.

    To not require a confirmation code on the same device and browser for 30 days, select Remember this browser.

  6. Save the recovery code and select I saved my recovery code to confirm that you saved it. You need the recovery code if you lose your device or can't receive confirmation codes for any other reason.

  7. Select Turn on multi-factor authentication to complete the process.

To set up MFA without using a mobile phone, follow the steps in the previous section to enable MFA through a mobile authenticator and leverage an authenticator app that pairs with a hardware token. For example, you can leverage hardware such as a YubiKey and the Yubico Authenticator app. For details on how to set up a Yubikey to work with Yubico Authenticator, see Using Your YubiKey with Authenticator Codes.

  1. On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Turn on MFA.

  2. Select SMS text messages and then select Next.

  3. Enter the phone number to receive confirmation codes and select Next.

  4. Within five minutes, enter the confirmation code that you receive on your phone and then select Next.

    To not require a confirmation code on the same device and browser for 30 days, select Remember this browser.

  5. Save the recovery code and select I saved my recovery code to confirm that you saved it. You need the recovery code if you lose your phone or can't receive confirmation codes for any other reason.

  6. Select Turn on multi-factor authentication to complete the process.

To change the device that receives confirmation codes or to change whether to receive codes through a mobile authenticator app or text messages, you must reset MFA.

  1. On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Manage, Change setup.

  2. On the confirmation dialog, select Change setup to reset your MFA settings.

  3. On the Blackbaud ID setup screen to enable MFA, set up MFA again by selecting to receive confirmation codes through a mobile authenticator app or text messages and then setting up and confirming the device that will receive confirmation codes.

To not require the confirmation code on a personal device you frequently use, select Remember this browser when you sign in on that device. When you select this, your Blackbaud ID:

  • Recognizes the same device and browser for 30 days and won't ask for a confirmation code during that time.

  • Requires a confirmation code to confirm your identity on other devices and browsers, as well as in incognito or private sessions on the same device and browser.

For security, don't select Remember this browser on a public device used by others.

Your 24-digit recovery code allows you to access your Blackbaud ID account even if you lose the device that receives MFA confirmation codes or if you can't receive them for any other reason.

If you can't sign in and don't have your recovery code:

  • If you have a recovery phone number, follow the steps below to sign in with your recovery phone number. And when you reset MFA, be sure to save your new recovery code. This option is only available if you receive confirmation codes through a mobile authenticator app.

  • If you can't sign in and don't have a recovery phone number, contact Support.

If you can still sign in but you lost your recovery code, follow these steps to request a new one:

  1. On your Blackbaud ID profile, select the edit button beside Multi-factor authentication.

  2. On the Edit multi-factor authentication screen, select Manage and then select New recovery code.

  3. To clear your recovery code and create a new one, select Reset.

  4. Copy the new recovery code that replaces the one you just reset.

    Warning: Make sure to save the new recovery code in a secure location so that you can access your account even if you can't receive confirmation codes.

  5. To confirm that you saved the new code, select I saved my recovery code.

  6. Select Close. You return to the Edit multi-factor authentication screen.

  7. Select Close.

A recovery phone number ensures that you are never locked out of your Blackbaud account. It backs up the 24-digit recovery code that you get when you set up MFA. If you can't receive confirmation codes and don't have your recovery code, you can use the recovery phone number to sign in and reset MFA. This option is only available if you use a mobile authenticator app to receive confirmation codes.

If you use a mobile authenticator app, you are prompted to add a recovery phone number after you sign in. Enter a mobile phone number that you can use as a backup if you lose your recovery code. Your recovery phone number then appears on your Blackbaud ID profile under Multi-factor authentication.

To edit your recovery phone number:

  1. On your Blackbaud ID profile, select the edit button for Multi-factor authentication.

  2. Under Recovery phone number, select Edit.

  3. On the page that appears, enter a mobile phone number and select Continue.

If you can't receive confirmation codes for any reason, such as losing the personal device that receives them, you can use your recovery code to access your Blackbaud account:

  1. On the Blackbaud ID sign-in page, select Continue with Email.

  2. In the Email address field, enter your address and select Continue.

  3. In the Password field, enter your password and select Sign in.

  4. On the MFA page that prompts you for a confirmation code, select the Can't access your authenticator app? link. A page to confirm your identity appears.

  5. Check your inbox for a confirmation email and copy the code.

  6. Return to the page that confirms your identity, and on the Confirm email tab, enter the 6-digit code and then select Next.

    Tip: The code expires after 10 minutes, but if it expires, you can return to the sign-in page and start over to get a new one.

  7. On the Recovery code tab, enter your 24-digit code and select Next.

  8. On the New code tab, copy the new recovery code that replaces the one you just used.

    Warning: You can only use a recovery code once, so you need to save the new one in case you lose the device that receives confirmation codes or if you can't receive them for any other reason.

  9. To confirm that you saved the new code, select I saved my recovery code.

  10. Select Next. Your Blackbaud account appears, and you can go to your profile to update your MFA settings as necessary.

If you don't have your recovery code but you authenticate through a mobile authenticator app and set up a recovery phone number, you can use your recovery phone number to access your Blackbaud account and reset MFA:

  1. On the Blackbaud ID sign-in page, select Continue with Email.

  2. In the Email address field, enter your address and select Continue.

  3. On the page that prompts you for your 6-digit MFA confirmation code, select Need help?

  4. To access the recovery code page, select I don't have access to my multi-factor authentication device.

  5. Select the Don't have your recovery code? link.

  6. On the first tab of the page that confirms your identity, enter the 6-digit code that was sent to your Blackbaud ID email address, and select Next.

  7. On the second tab, enter the 6-digit code that was texted to your recovery phone number, and select Next.

  8. On the third tab, select Set up MFA to reset MFA. Your Blackbaud account appears, and you can go to your profile to create a new recovery code and update your MFA settings as necessary.

If you enable MFA, you can disable it to change settings or when you can't receive text messages. However, if Blackbaud enforces MFA or your organization enforces MFA through Single Sign-on, you can't disable MFA.

  1. On your Blackbaud ID profile, select the edit button for Multi-factor authentication and then select Manage, Disable. If you don't have this option, then MFA is enforced and you can't disable it.

  2. To confirm, select Disable.

  3. Enter the confirmation code that you receive at your email address and then select Disable.

For solutions to common issues, see the multi-factor authentication FAQ.