Funraisin naturally takes all steps we can to protect your site’s data, however we ourselves aren’t in control of who is given admin access to your site. To help further protect your platform data we support 2-Factor authentication for all admin users which you can enable at any time via your platform.
What is 2-Factor Authentication?
You may have already used some methods of 2-factor authentication on other platforms such as your online banking, but essentially 2FA is just adding in a second layer of protection for logged-in users by asking them to complete a second step before they are able to log in.
There are many different methods such as the use of Security Questions or SMS tokens where users are sent an SMS message when logging in with a unique code to enter. There are also physical security tokens that online banks sometimes use where you have to carry a physical device around and enter a unique code that it generates into the logging-in process. And then there are smartphone (app) based tokens such as Authy and Google Authenticator.
Funraisin support both SMS Tokens (via Twilio) and App Tokens (via Google Authenticator) and this article will show you how you can enable either, firstly Google Authenticator.
Google Authenticator is an App developed by Google that you can install on your smartphone (iOS and Android) which generates unique codes every 30 seconds. The app is linked to the site or service that you wish to log in to so the generated codes provide you with secure access to that site or service. Unlike SMS or Email based tokens, this method of logging in is incredibly difficult to intercept, making it one of the most secure methods of protecting access to a site.
Below shows you how to enable this method of protection for your site.
Enabling 2-Factor Authentication
To enable Google Authenticator just go into Platform Setup and scroll down until you see the 2-Factor section. Choose “Google Authenticator” from the selection and hit save. This will now force all admin accounts to use this additional method of security when logging in.
First Time Logins
When admins next log in, or log in for the first time, they will be presented with a screen like the example below which contains a field for a unique code and a QR code, plus a link to download the Google Authenticator app.
After downloading and installing the app, you will be prompted to scan a barcode or enter a code manually. Choose the scan method and scan the QR code displayed on your screen.
Once the barcode has been scanned you will immediately be shown a screen like the example below where you will see a bunch of numbers below the title “Funraisin”.
To continue simply enter the numbers displayed into the “code” field above the barcode image.
If the code is correct you will be logged in as usual, if not you will be asked to try again. Keep in mind that the code generated is only valid for 30 seconds so sometimes you may have to repeat the process depending on how long it takes you to enter the code into the field.
Once the account QR code has been stored and used once, admin users will no longer get access to the QR code. The next time they log in they will simply be asked to enter the unique code generated by the Google Authenticator app.
If for some reason you need to reset your Google Authenticator app you will need to ask your site admins to delete your security token against your account so you can repeat the above process.
SMS 2-Factor Authentication
Although SMS-based authentication isn’t considered to be as secure as app-based methods, it is still far more secure than not having any kind of 2nd level authentication at all!
To enable SMS-based authentication simply go into Platform Setup and scroll down until you see the 2-factor authentication section and choose “SMS” from the options. Note that this requires an account with Twilio and needs to be configured within your platform so we can send SMS messages.
If SMS is enabled, each time your admin users attempt to login to your site they will be sent a unique code via SMS to the mobile number that is listed against their account. They will need to enter this into the “code” field provided to gain access to the admin.
If for some reason they don’t receive the message you may need to check that their mobile number has been entered into their account correctly, complete with the international country code e.g. +61 404 123 456
Email 2-Factor Authentication
A less secure option of email 2-Factor authentication is also available which works exactly the same as the above SMS-based method, except that the code is emailed to the admin.