Multi-Factor Authentication (MFA)

What is MFA?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a software system. As part of our constant efforts to ensure maximum security for our cloud products, NPact added the additional step of MFA to the login processes for our cloud products Foundation Cloud Grants and Foundation Cloud Community Portal. MFA will be added to FIT soon.

After entering a valid username and password, users are prompted to prove their identity using a mobile authenticator application, entering a code sent to them in a text message, or confirming their identity through a phone call before they are allowed to log into the system. 

This feature is required for all foundations using Foundation Cloud. 

How do I enable MFA? 

On May 15th, 2023, MFA was automatically enabled for all NPact clients running FCG, FCCP, and FIT in production. For customers who are not in production yet, MFA will be enabled during the implementation process before the foundation's go-live date. 

From the first time a new user logs into any of our cloud-based products, they are allowed to "skip" MFA for a period of 30 days. When the 30 days have passed, they are required to configure MFA in order to log in.  

Frequently Asked Questions:

Q: When and how was this change announced?

A: MFA requirement communications:

• February 10th, 2023, email sent listing new features coming soon. 
• An announcement of the requirement and discussion on the impact to foundations in a recent Let’s Talk Solutions webinar. 
• On the FCG Home page, under the What’s New section and Release Notes section.

Q: Why is NPact requiring MFA? I don’t understand this extra step. 

A: NPact cares about your data security. Multi-Factor Authentication is the software industry standard for securing sensitive data, and it is required for NPact's security certifications. 

Many of our foundation clients have cyber-insurance policies which charge much higher premiums for organizations whose data access is not secured with MFA. 

We take security seriously and want to ensure our systems have the latest safety measures available to protect our customers' data and information.  Multifactor authentications ensure your funds are safe from unauthorized users that plague online systems.

Q: What happens if I don't set up MFA by the deadline?

A:  You can set up MFA at any time before the May 15th, 2023, deadline. After May 15th, 2023, NPact will enforce MFA for all FCG and FCCP users. Each user has the option to 'skip' MFA configuration for up to 30 days, after which the user must complete the MFA setup. 

Q: Which authentication methods are available? 

A: When a user sets up MFA, they are presented with three options.

• Mobile authenticator app (most secure) - This process uses an authenticator application on the user's mobile phone. It generates a verification code that must be entered on the MFA screen to continue.
• SMS text messages - During setup, the user is asked to select a country and provide a phone number. For verification, the user is sent a code via text message that must be entered on the MFA screen to continue.
• Voice calls - This process prompts a call to the user's phone providing an audio verification code that must be entered on the MFA screen to continue.

Q:  Which mobile authentication apps are supported? 

A:  MS Authenticator and Twilio Authy

Q:  Are the mobile authentication apps available for iOS and Android? 

A:  Yes. MS Authenticator and Twilio Authy are both available for iOS and Android.

Q: Which devices are compatible with mobile authentication apps? Can the apps be used on a Mac or PC instead of a mobile phone?

A: MS Authenticator is compatible with iOS devices and Android mobile phones.

Twilio Authy is compatible with iOS and Android mobile phones. Twilio also supports devices that use Blackberry, Windows, Mac Os, and Linux.

Q:  For SMS or Voice Calls, what happens if I change my phone number or lose access to the phone or phone number used?  

A: For FCCP, go to My Account > Configure MFA to change your phone number. If you cannot login, please contact the foundation to have your MFA reset.

For FCG and FIT, go to Account > Set Up MFA to change your phone number. If you cannot login, please contact your system administrator to have your MFA reset.

Q:  I don’t want to use a mobile phone to receive text messages or use an authenticator app. How can I make this work? 

A:  Choose "Voice calls" as your preferred verification method and enter a landline phone number.

Q:  Should I use my personal or work phone number? 

A:  For FCCP, we recommend all users choose a personal phone number. Users who apply for grants on behalf of an organization may use a work number. However, if they leave the organization and lose access to the phone number, they are no longer able to authenticate.  

For FCG and FIT, users can use a personal or work phone number. However, when an individual leaves an organization they lose access to the corporate phone numbers and aren't able to authenticate. 

Q:  How do I change or reset my MFA settings?  

A: For FCCP, go to My Account > Configure MFA to change your phone number or clear the current MFA configuration and start again. If you cannot login, please contact the foundation to have MFA reset.

For FCG and FIT, go to Account - Set Up MFA to change your phone number or clear the current MFA configuration and start again. If you cannot login, please contact your system administrator to have your MFA reset.

Q: I can't get MFA set up properly. Where can I get help? 

A: Use the green Help sliders in our cloud products to access help content to guide you step-by-step through MFA configuration. If you're not able to resolve the issue, please open a support case here. https://support.npact.com

Q: Our foundation has some user accounts that are used by more than one person. Can multiple user accounts share the same MFA configuration?

A: Yes. However, the SMS text messages, or phone calls, can only go to one number per user.

Q: Our foundation has some users with more than one login. Can multiple user accounts share the same MFA configuration?

A: Yes. There is nothing to stop two users from using the same phone number for MFA (text or land-line options). We recommend using SMS text messages as the MFA configuration option. An authenticator app requires configuration with multiple accounts, which could cause confusion. 

Q: If a user selects audio or text authentication, will the system automatically populate the phone number listed as the primary phone on the web user tab of their constituent record in FCG or will the phone number field be blank and force the user to type the number in?

If they must type it in, will the primary phone number from the web user tab be overwritten by whatever they enter (whether upon first configuration or if they opt to change the number in the authentication phone number in the future)?

A: When a user registers for MFA, the primary phone number from their constituent record is automatically populated. If there is no phone number stored in FCG, the user is required to enter a phone number to proceed. 

The phone number entered for MFA does not overwrite the primary phone number listed on the constituent record. It is only used for MFA purposes. 

Q: Our staff has access to change a person’s phone number for authentication if they have selected audio or text as their authentication method. Do we have access to change the authentication method itself for them? 

A: No. When registering for MFA, each user is presented with the three authentication methods. It is up to each user to choose the method that works best for them. 

Q: Where do FCG users control the phone number used for their authentication? When a user logs in and goes to their "Account Details," there is no phone number field present.

A: For FCG and FIT, users go to Account > Set Up MFA to change the phone number.

Q: We do not want to offer two different authentication apps to our clients. This is confusing/unhelpful to them. How can we configure this to direct them to only one app or the other? 

A: When registering for MFA, each user is presented with the three authentication methods. It is up to each user to choose the method that works best for them. A recommendation can be made for a specific method, but the options cannot be limited to one method.

Q: When will a whitepaper be available for this new feature? We need to be informed ourselves, but we also need to inform our clients, and we want to do so in advance of the date when this feature will become required.

A: No whitepaper is planned for MFA. Whitepapers are meant to explain new features introduced by NPact. MFA is an established software security standard. We recommend using online resources to find out more about MFA. For example, Microsoft provides an article on MS Authenticator here. 

Q: Is there any way for us to test the MFA user experience without enabling for all users? We'd like to test it out and make sure we understand what our clients will experience, but we do not want to require our clients to use it until AFTER we've tested it. 

A: When MFA is enabled, it is presented to all users. If MFA is enabled for testing purposes, users will see the MFA options but can skip the set up for up to 30 days. 

For customers still in implementation, MFA can be turned on and off by NPact staff until your apps go live. 

Q: Why did my account get locked out? 

A: As a security measure, we have implemented a lock out after 20 failed authentication attempts.