Configuring MFA for Your Nation
Admins and CPUs with authentication management permissions can configure MFA settings at the nation level. To do this, navigate to Settings > Login and security and find the Multi-Factor Authentication section. Here, you can make MFA required for CPUs and/or supporters. By default, MFA is optional for all users.
Requiring MFA
To require MFA, check the box labeled "Require MFA for control panel users" or "Require MFA for supporters". Once enabled, users will be prompted to set up MFA during their next login and must complete the process before accessing the control panel. If left unchecked, users will still see an MFA setup prompt at login but can choose to skip it, and they won’t be asked again. Note that MFA cannot be completely disabled.
After enabling the requirement, you can configure the available MFA confirmation types for users to choose from: authenticator app, SMS/text message or both.
Configuring MFA as a user
Configuring MFA as a CPU
To enable MFA for your account as a Control Panel Users, navigate to your account settings by clicking on their profile icon, then select Your Account > Login and Security. Note that you will be asked to log in again when you try to access this screen for the first time.
From there:
If MFA is optional for your account you can check the box to enable the authentication methods available for your account. The next time you log in, you will be able to choose your preferred method on the login screen (phone or authenticator app of your choice).
If MFA is required for your account, the checkbox will not appear.
If you are allowed to use either phone or authenticator app as authentication factors (i.e. it is not a situation where only a specific factor is required for your account), then you will be able to switch between each of the authentication factors when logging in.
Configuring MFA as a supporter
As a supporter, you can enable MFA for your account through the Login and Security tab in the supporter portal, accessible at https://[your domain]/supporter_portal. Note that you will be asked to log in again when you try to access this screen for the first time.
This tab is also linked in the supporter profile edit form on websites. If you wish to place it elsewhere, a liquid variable is available to override the automatic injection of this link. More information can be found in this documentation.
The supporter portal is enabled by default and the donation and membership tabs are disabled if they weren’t actively enabled for the nation. This is what the supporter portal looks like to users:
As a supporter, if MFA is optional for your account, you can enable MFA by checking the appropriate box. From here, you can also reset your authentication factors. If you are allowed to use either authentication factor (i.e. it is not a situation where a single factor is required for your account), then you will be able to switch between each of the authentication factors when logging in.
At the bottom of the page, you will find a button to request a password reset email. If you choose to reset your password, you will receive an email with instructions as shown below.
Configuring MFA for other users
Enabling/disabling MFA for a user on the single-person view
A CPU with admin or authentication management permissions can enable or disable MFA for a user by navigating to Edit > Login and Security in that user's profile within the People section.
Resetting all factors for a Control Panel User on the single-person view
A CPU with admin or authentication management permissions can reset MFA factors for a profile by going to Edit > Login and Security in the user's single-person view in the People section. Recovery codes are also considered an authentication factor so they will get reset when this button is used.
Login email management
Each user can have only one login email address which by default will be the primary email address in their profile. There are a few ways this login email address can be changed.
Changing login email through an admin
A CPU with admin permissions can change a user’s login email address on their behalf by navigating to Edit > Login and Security in the profile's single-person view in the People section.
Changing login email as a Control Panel User (CPU)
A CPU can change their login email in their account settings. Follow these steps:
Navigate to Your Account > Login and Security.
Locate the ‘Login Email’ section.
Enter your new email address and save the changes.
Note that CPUs will need to log in again to access the Login and security settings in the control panel.
Important Notes:
If you update your email address in the Contact Info tab within your account settings, your login email will remain unchanged. To update your login email, navigate to the Login and Security page as outlined above.
If you attempt to use an email address that is already associated with another account, you will receive an error message, and the email update will not be processed.
Changes made to the email address on the Login and Security page will also update the matching email field in the signup (e.g., Email1). For example, if the login email [email protected] matches Email1 and you update it to [email protected], Email1 will also reflect the updated address.
Changing login email as a supporter
Supporters can update their login email through the supporter portal. Here’s how:
Navigate to https://[your domain]/supporter_portal.
Locate the "Change Email" option in the Login and Security settings.
Enter your new email address and save the changes.
Note that supporters will need to log in again to access the Login and security settings in the supporter portal.
Important Notes:
Ensure the new email address is not already in use by another account to avoid errors.
Changes made to the email address on the Login and Security page will also update the matching email field in the signup (e.g., Email1). For example, if the login email [email protected] matches Email1 and you update it to [email protected], Email1 will also reflect the updated address.
Change the email via the site profile settings page, will NOT update the login email address. Instead, you must use the Login and Security settings of the supporter portal.
Logging into the control panel or website with MFA
Control Panel Users and supporters can log in by navigating to [yournationslug].nationbuilder.com. From here, if social login is enabled, users will be able to log in with an email and password or using their Google or Microsoft account. They can also initiate a password reset if needed.
If MFA is enabled for your account, when logging in for the first time, you can select your authentication factor. If either types are enabled for your account you will be able to choose between “Phone” or “Authenticator app” as the method to complete your login.
Phone method
If users select the phone method, you can set up a phone number and select how you would like to receive a confirmation code (via SMS or a call).
Authenticator app method
If you select the authenticator app, you will be prompted to scan a QR code using your chosen authenticator app and enter the code generated by the app. You can use any of the following authenticator apps for your account. Each app provides a secure and easy way to generate one-time passwords:
Choose the app and follow its instructions to enhance your account security with 2FA.
Inviting a new Control Panel User
You can invite new Control Panel Users as usual, and they will receive an activation email. The activation link will be valid for 7 days.
Password strength requirements
Passwords must contain at least 8 characters, including at least 3 of the following 4 types: a lowercase letter, an uppercase letter, a number, and a special character (e.g., !@#$%^&*).
First-time login flow: setting up multi-factor authentication (MFA)
When logging into your nation for the first time, you will be prompted to set up MFA. Upon your initial login, several options regarding MFA setup will be presented.
MFA Setup Options
These options will appear based on specific conditions, as outlined below:
Option | Will be displayed |
Set up MFA now (recommended) | Always |
Remind me later | Will only be shown up to 3 times |
Do not use multi-factor authentication | MFA is not required for your account |
Set up MFA now (recommended): Selecting this option will allow you to immediately begin the process of setting up MFA for your account. You will be guided through your MFA options to complete the setup.
Remind me later: If you choose this option, you will be taken directly to your intended destination, and the MFA setup will be postponed. However, you will be prompted again to set up MFA the next time you log in. You can only select "Remind me later" up to three times. After this limit is reached, you will be required to set up MFA upon your next login if MFA is required for your nation.
Do not use multi-factor authentication: By selecting it, you will proceed to your destination without setting up MFA, and you will not be prompted to set it up again in the future. However, you can always enable MFA later in your authentication settings if you change your mind. Note that this option will not appear if MFA is required at the nation level.
Recovery codes
Recovery codes are a backup method for accessing your account if you can't use your usual multi-factor authentication device. When you set up MFA, you'll be given a unique one-time use code that you should store securely. If you lose access to your second authentication factor, such as a phone, you can use one of these recovery codes to log in. After you have used this recovery code once, it will expire and you will be given a new recovery code to use in the future. Make sure you keep it somewhere safe, separate from any email and password information. Once you have used a recovery code, you should immediately reset your MFA factor so that you will be prompted to set it up again upon the next login. If you need assistance, ask your nation admin to reset your MFA.