Two Factor Authentication (also known as MFA)
What is Two-Factor Authentication (2FA)?
Two-factor authentication is designed to ensure that you are the only person who can access your ExpensePlus account.
With two-factor authentication, when you sign in to your ExpensePlus account you will need both your password and a 6-digit verification code.
To enable two-factor authentication you will need a smartphone with a camera and you will need to install the Google Authenticator or Microsoft Authenticator app.
How do I set up Two-Factor Authentication?
- Select the user profile icon (top right corner), then click Multi-Factor Authentication.
- Select 'Two-Factor Authentication Settings' in the bottom right of the screen.
- Follow the on-screen instructions - you will need to install the Google Authenticator or Microsoft Authenticator app on your smartphone.
Top Tip: two-factor authentication is the best way to prevent someone else from getting access to your account. It dramatically improves account security, as just knowing your password isn't enough for someone to access your account.
Is 2FA better than Touch ID?
In some ways, yes because even if Touch ID is set up, the option to switch to entering just a password is always possible (for where you are using an unregistered device or you have an issue with your fingerprint reader).
However, your best option is to set up both! This way, you can gain all of the benefits Touch ID offers in terms of fast secure sign-in, and where Touch ID isn't used, an authentication code will be required.
Note: Enabling 2FA and Touch ID doesn't mean that you will have an extra sign-in step, it just means that if Touch ID isn't used, your account is further protected by the need to enter an authentication code.
Is there a way to make other users within my Church or Charity use 2FA as well?
Yes - this can be set per user role by the system administrator (or anyone with access to the user settings screen). There are three options with regard to two-factor authentication that you can set per user role, which are:
- Enforced - users with this role will be required to set up and use 2FA (they won't be able to access ExpensePlus if they don't)
- Encouraged - users will see a banner message each time they sign in, requesting that they set up and use 2FA (they will still be able to access ExpensePlus if they don't)
- Optional - users won't be required to use 2FA and won't see a banner message, but they can still set up 2FA
It is your choice as to how each role within your organisation is set up. However, we would typically recommend that:
- For roles that have either full access to your organisation's data; access to the user settings module, or full access to detailed financial reports and/or donor data, set two-factor authentication to be 'enforced' (or at the very minimum, 'encouraged').
For roles with limited access to ExpensePlus (such as that of a 'user' or 'budget holder'), you might decide you want to set two-factor authentication to be either 'optional' or 'encouraged'.
To set the Two Factor Authentication requirements for your organisation's different user roles, go to settings -> users -> add/edit user roles, and click on the role you wish to update.
What do I do if I lose or change my phone?
If you still have your phone:
- Sign in to ExpensPlus, and go to the Two-Factor Authentication Settings screen.
- Click the option to 'disable 2FA', then using your new phone, re-setup two-factor authentication.
If you don't have your phone
Contact your system administrator (or someone else who has access to the user setting screen within ExpensePlus) and ask them to disable two-factor authentication for you within the user settings screen, by clicking the 'update' icon on the right-hand side of the screen.