BBID & Two Factor Authentication

Josceline Reardon

Happy New Year Everyone! If you use two-factor authentication to login into Blackbaud, are all of your faculty & staff required to use two-factor or just those that have advanced roles?

Thank you in advance for your help.

Bryan Lorenzo

Hi @Josceline Reardon - we require it for all employees via our identity provider.

Brian Gray

We use Blackbaud ID for all employees, students, and parents. Employees and students are authenticated using their school Google account.

Two-factor authentication on the Google account has always been an option for all employees and students. It has been required for several years for employees who work in areas with access to sensitive data or who are believed to be at higher risk for targeted phishing attempts (based on the offices they work in or their personal history with phishing). Our insurance company now requires that all employees use two-factor authentication on their Google accounts.

We discourage the use of Blackbaud's two-factor authentication for students and employees, because it's easier for us to help when problems arise on the Google account than when they arise on the Blackbaud account.

Josceline Reardon

Thank you @Brian Gray! We use Google for our identity provider and then SSO to Blackbaud. I'm just worried about those that are less tech savvy and we also have a few employees that do not have cell phones.?

Coco Parham

We all use two factor authentication. All enrolled families as well. Looks like we are all going that way by this summer.

Josceline Reardon

Hi @Brian Gray - Thank you for the information! When you turn on the two-factor for Google, does that then turn it on for when they log in to Blackbaud since they are authenticating via Google to get into Blackbaud? Thanks in advance for your additional help!

Brian Gray

We can't turn on 2FA for an employee - the employee has to activate it while signed into the account. (Some do it on their own. Others require some help). We have a supply of YubiKeys for those without phones. (It's a USB dongle that's associated with one or more Google accounts.)

Once the user has signed into Google on a particular computer's web browser and verified with 2FA, the browser usually does not prompt for 2FA on that computer again.

If the user is signing into Blackbaud on a computer that has not been used to sign into Google already, the steps are:

• User enters the email address in Blackbaud
• Blackbaud notices that the address uses Google authentication, and prompts for Google sign-in
• Google sign-in process will prompt for 2FA if needed for that user on that computer in that browser
• Blackbaud sign-in process completes
• User gets access to SIS/LMS/FE-NXT/RE-NXT

We are using (Google Apps Manager) GAM to get a report of which employees have 2FA active. Others in the Tech Office are hunting down the rest to get it turned on.

Lauren Henderson

CORRECTION- at this point we are just requiring Faculty/Staff to implement MFA, and are doing it through Microsoft (our school account), not through blackbaud.

Brian Gray

@Lauren Henderson - if you use Blackbaud's 2FA, emphasize that each user MUST retain the recovery key that is generated when 2FA is activated. If the user loses access to the 2FA device, the recovery key makes it relatively simple to access the account and re-establish 2FA.

Without that recovery code, Blackbaud support will have to be involved. You will have to manage a three-way conversation between you, the user, and Blackbaud. (In my case, this took several days due to an unmotivated student, multiple time zones, remote learning and a pandemic…)

This scenario is why we prefer to rely on the Google 2FA. As Google domain administrators, we can help a user get 2FA access via backup codes in a matter of minutes.

Kathy Hannon

I echo @Brian Gray - we had 2 students who set-up BBID 2FA and it took us a couple of weeks to rectify the login issue and get the students' accounts back on track - UGH