Multi-factor Authentication for Administrators

Multi-factor authentication (MFA) for administrators adds an extra layer of protection to your Luminate Online administrator accounts. This feature does not impact constituents.

• What is MFA?

• How does it work in Luminate Online?

• How do I enable MFA for admins?

• How do I set up MFA with SMS?

• How do I change a phone number used for administrator MFA?

• How do I set up MFA with an authenticator app?

What is MFA?

Multi-factor authentication (MFA) is a method that requires you to identify yourself with two or more pieces of evidence to sign in. Main types of factors are:

• Knowledge — Something you know, such as such as a password.

• Possession — Something you have, such as a code sent to a personal device.

• Inherence — Something you are, such as facial recognition.

How does it work in Luminate Online?

You and the other administrators at your organization can use either SMS (text) or an Authentication app, such as Microsoft Authenticator or Google Authenticator, to verify identity when logging in to Luminate Online.

After providing username and password credentials, you are required to also provide a code that is texted to your device or is found in your authenticator app on your device.

Authenticator apps, or Time-based One-Time Passwords (TOTP), offer an alternative to SMS (text) for the second method of authentication and are especially useful when SMS is not readily available. When enabled, TOTP is available per site, meaning that all administrators at your organization will see the option during login. However, if SMS is preferred, no action is required to set up TOTP, and your administrators have a choice whether to use each option.

Both SMS and authenticator app require a one-time setup to associate the MFA account with a Luminate Online account. See How do I set up MFA with SMS? and How do I set up MFA with an authenticator app?

How do I enable MFA for admins?

By default, all sites have the SMS feature enabled.

To offer authenticator app (TOTP) as an MFA option, go to Setup, Site Options, then set MFA_WITH_TOTP_FEATURE to TRUE and Save.

You can offer both features, or only one of them, but you must offer at least one form of MFA.

Both options require a one-time setup to link the MFA configuration with their Luminate Online account.

Note: When the authenticator app feature is enabled for your site and administrators set up authentication with an app, be aware that if you later disable TOTP for your site, those administrators will no longer be able to log in unless they have successfully set up the SMS option and it is enabled.

How do I set up MFA with SMS?

After an administrator enters their username and password into Luminate Online, a screen prompts for a mobile phone number. After entering a number and selecting Verify, a code is sent via SMS (text) to the number, and the number provided by the administrator is stored on the profile record.

Administrators who log in from a public connection will clear the option for This connection is private and will need to provide SMS MFA upon each login.

The administrator enters the code from the text message into the Luminate Online login page to access Luminate Online.

Tip: Admins on a private connection who previously authenticated location within the past 30 days may not be sent or prompted for a code after entering their phone number until the current authentication expires.

How do I change a phone number used for administrator MFA?

To change the phone number used to receive confirmation codes, update the number stored in the administrator's profile record.

1. In Luminate Online, go to Constituent360, then search for and open the administrator's record.

2. On the administrator's record, select Change MFA Phone.

   

3. Enter a new mobile phone number. Select a country from the drop-down to add the country code.

   

4. Select Update.

How do I set up MFA with an authenticator app?

Note: This feature must first be enabled. See How do I enable MFA for admins?

When your site has the authenticator app (TOTP) option enabled, each administrator who wants to use this option must first connect their authentication app to their Luminate Online account as a one-time setup.

An administrator who is able to log in to Luminate Online can open their own record, or the record of another administrator, in Constituent360. From there, the logged-in administrator can provide a QR code or link to another admin that can be used to make the connection.

1. Go to Constituent360 and open the record of the administrator who wants to connect an account.

2. Select Configure Authenticator App.

3. Select Generate Authorization code to create the QR code needed to link the accounts.

4. Link accounts:

   • If this is for your own account, open your authenticator app and scan the QR code.

   • If this is for another administrator, provide to them a screenshot of the QR code, or the App Configuration Code. The administrator should open their authenticator app, then either enter the code or scan the QR code image.

5. Confirm the code.

6. Upon the next log in to Luminate Online, after successfully entering a username and password, a code from the authentiacator app is required.

Note: Currently, this feature prompts for an authentication app code upon each login, but support for 30-day authentication is coming in a future release.