Looking for something specific? Skip ahead:
Security is important, especially for systems that allow access to information about thousands of members. For organization administrators, particularly those with access to organization-wide member data, we strongly recommend enabling two-factor authentication.
With two-factor authentication (2FA), after entering your password you'll be asked to enter an authentication code that verifies that you have possession of your cellphone. Therefore, 2FA adds a second layer of account security because it combines something only you know (your password) with something only you have access to (your phone or a physical token). Instead of an attacker guessing or stealing your password to gain access to the ControlShift tools, they would also need to steal your cellphone.
For users who enabled 2FA before August 2022, we're using Authy to provide two-factor authentication. Authy is a vendor that allows authentication either over SMS or through a native mobile application. Users who enable 2FA starting August 2022 will be able to use their preferred authentication app (including Authy, Google's Authenticator app, Microsoft's Authenticator app, etc.).
Note: If you enabled Authy before August 2022, you will need to update your configuration before March 2023. More information.
Who can enable 2FA?
Anyone with a user account can enable 2FA, including org admins, partner admins, and supporters (petition creators, event hosts, group members, etc). While 2FA is optional for supporters, organizations can require 2FA protections for partner and org admins.
How do I enable 2FA?
To enable 2FA, log into your account and click the My Account link in the dropdown menu. Go to the Password & Security option, and there will be a button to Enable Two-Factor Authentication.
Note: If your organization requires 2FA, you'll see the prompt to enable 2FA immediately upon logging into ControlShift. Follow the prompts to create your 2FA configuration.
After clicking the link, you'll be shown a QR code. Open your chosen authentication app and scan the code. If you're on mobile, you can click to copy the alphanumeric code and paste it into your authentication app instead.
If you don't already have an authentication app, you'll need to download one from your app store. Commonly used apps are: Authy, Google Authenticator, and Microsoft Authenticator. While other apps are also available, we'd recommend using caution to ensure that other authentication apps are legitimate.
Once you've scanned/entered the code, your app should update to show a 6-digit code. In ControlShift, click to Continue. On this ControlShift page, enter the code and click to Enable.
At this point, we recommend downloading your recovery codes. These codes can be used if you're unable to access your authentication app. Each recovery code can only be used once, and we recommend storing them securely.
Note: Recovery codes are only shown once, and they are the only way of unlocking your account if you lose access to your authenticator app. If you're not able to access the authenticator app, and you don't have your recovery codes, you'll need to create a new ControlShift account.
When you're done, 2FA will be enabled for your account. Then, whenever you log into your account, you'll be asked for the authentication code, which you can find in your authentication app.
Once an admin has 2FA enabled, their member account listing will also reflect the new setting. You can see which admins have enabled 2FA by going to Settings > Teams & Permissions > Admins. The admins using 2FA will have a checkmark in the second column.
If you need to disable 2FA, return to your account page (from the dropdown menu) >Password & Security click Remove.
2FA Settings for Organizations
We strongly recommend all org admins enable 2FA. Organizations can also require that all admins enable 2FA on their account by going to the org admin homepage > Settings > Options > Admins and checking the Require admins and partner admins to set up two-factor authentication checkbox. After enabling this option, all partner and organization admins will be required to set up 2FA during their next log-in. They'll be unable to view any other pages in the platform until 2FA is configured.
If you have any questions, email firstname.lastname@example.org.