MFA (2FA) Concerns and lack of options reagarding Blackbaud's Enforcement Policy

Jonathan Tepper

I posted this is a response to another thread but the topic might be missed as it was inquiry if it will impact parents. This is a more general concern.

In addition to the Blackbaud's BB ID, they announced they will be enforcing Two-Factor Authentication (2FA) (MFA) for users with elevated access to their systems.

The 2FA requires the end user to have a mobile device, where Blackbaud 2FA provider will send a text or require to use a 2FA app. While we applaud Blackbaud steps in taking security seriously, What does this mean for organizations that do not provide mobile devices to their employees? What does it mean for organizations that do not endorse or advocate the use of personal devices for their employees? If an organization does, do they have have a policy in place? If so, is the organization accounting for renumeration, compliance, and monitoring of personal devices?

Because Blackbaud's 2FA does not offer other established alternatives such as allowing the organization enforce 2FA with their native soltuion (my org does this), offer a phone call 2FA solution or 2FA security keys, this seems to create two issues.

1) Incuring additional (hidden) costs to the organization (e.g. providing organization owned mobile devices, renumeration for personal devices, AMM software, etc.)
2) If endorsing personal devices, there is a perception of deminished Privacy for employees and boundries between work life expectations.

When we tested Blackbaud's 2FA it is an added layer to our existing 2FA authentication. This is disappointing. If other options were avaialble it would avoid the above issues. While security is on the forefront of their mind, why isn't cost and privacy? Did anyone in this community conclude the same or have a different perspective? #compliance #work #privacy #security #MFA

David Gillespie

You mentioned that it's an added layer to your existing 2FA authentication. Does that mean you're already connecting to Blackbaud using an SSO? MFA is not mandated for SSO connections, just ones where Blackbaud ID is the authorizing service. Our employees who connect via Microsoft AD won't be affected at all.

Bryan Lorenzo

Hi @Jonathan Tepper - organizations that are already enrolled in using Single Sign-On for their users are not impacted by this enforcement change.

Eleanor Rizzo

I have similar concerns and questions.

We are in the process of switching all of our high school students to using BBID for their school portal login. Their email addresses are all managed by Google, so they should all be using Google to sign in. Is it true, then, that this BBID 2FA requirement won't affect them?

Parents, however, have all sorts of email addresses with or without their own Google accounts, so I'm assuming that those who are not using Google to sign in will be affected. Is that true?

Eleanor Rizzo

Reading the FAQ more thoroughly…

My concerns were about parents and students who use our portal, and this is what the FAQ says:

Will parents or students who access our Education systems (Education Management, Blackbaud Tuition Management) be impacted by this requirement?
No, this requirement will only be enforced on your organization's users, parents and students will not be required to configure multi-factor authentication.

Jonathan Tepper

Thank you, @Eleanor Rizzo and @Bryan Lorenzo. We do have SSO already for our organization with our Blackbaud products, and when I tested it myself it required a second MFA/2FA authentication. I will pass this on that this setting will not be enforced (will be turned off). Because the article asserts this is a MFA (two or more factors) and disquishes between MFA and 2FA while it also says those who have SSO is exempted, I found it a bit confusing. I am gald we are exepted then since we have SSO, however any organization (likely smaller ones) without SSO will required users to either use a personal mobile device, provide a company one (or thanks for your clarifications, need deploy their own SSO - an unplanned cost either way).

Bryan Lorenzo

Hi @Eleanor Rizzo - The requirement will only be enforced on your organization's users, parents and students will not be required to configure multi-factor authentication.

The MFA requirement beginning June 2022 through July 2022 is for the following solutions:

Raiser’s Edge®
Blackbaud Raiser’s Edge NXT®
Financial Edge®
Blackbaud Financial Edge NXT®
Blackbaud Church Management™

John Ronan

The following may seem snarky, but I really want to make a sincere request of BB in general about written communication. The following is an answer from the FAQ that was quoted in this discussion:

“No, this requirement will only be enforced on your organization's users, parents and students will not be required to configure multi-factor authentication.”

First of all, I don't think it is grammatically correct. [two sentences written as one].

Secondly, to add fuel to the fire of confusion on this subject, if one were to not read the entirety of the answer [which people very often do], one might read only:

“No, this requirement will only be enforced on your organization's users, parents and students …”

The exact opposite of the intended message.

It would help greatly if BB would raise the quality of their written communication. This includes notices like this as well as the help and written documentation.