Enforced Multi-Factor Authentication?

Steven Cinquegrana

Today, when signing in or authorising an integration, I received an MFA request which I've never seen before. I clicked Learn More and saw that it could be turned off (I never turned it on).

When I eventually signed in, I went to turn it off and saw that it had an Enforced/checked icon next to it.

Would someone please advise what's going on?

Thanks.

Qgiv Product

@Steven Cinquegrana I also experienced something similar, when logging in there was no option to avoid setting it up that I saw (before I think there was a way to dismiss it). I did not try deactivating it after setting it up, so it is currently active on our end.

It's not a major issue on our end since we can set up multi-factor within Lastpass for testing credentials / easily share that with whoever is authorized to see it, but I could see it being a pain for a shared testing account with the Cohort environment (if more than one tester).

EDIT: It looks like this is an across-the-board policy change to make it required:

Ben Regier

Yes, MFA is required for all accounts now. This change has been in the pipeline for a while. Are you subscribed to Blackbaud's announcements? It's a good way to stay on top of potentially breaking changes. We also received personalized emails from Blackbaud letting us know the date when MFA would be enforced for our org.

Deb Dressely

@Steven Cinquegrana We found the same thing this morning and discovered once Enforced, there is no way to opt-out. You can change your setup or request a new code but there is no way to disengage this option. We didn't see any Blackbaud announcement regarding the roll-out despite being subscribed to all announcements. Our notice came from your post. ?

Steven Cinquegrana

Thanks for the replies.

As far as I know we're subscribed to all notifications as well - we get SKY API updates, etc - but I didn't see anything about this. #NoMemo.

MFA is becoming the norm now unfortunately. It's manageable if you register your browser, etc but it means we have update our doco to keep users in the loop.

Ben Regier

@Steven Cinquegrana

Huh, you're right, I couldn't find this in the announcements, either. I had the impression that there was a lot of communication about this, but although I did receive multiple personalized emails from Blackbaud letting me know when this would be turned on for my org (it's too bad that it sounds like some people aren't receiving those), I don't see anything in the announcement channels.

I think this was also highlighted in some of the product update webinars and some of the sessions at the BBDev conference, which may have contributed to my sense that there was a lot of communication around it.

Michael Panagos

@Ben Regier
I received two “ACTION REQUIRED” emails directly from no-reply@blackbaud.com (May 19 & Jul 19, 2022). However, I believe this is because we are a RE & FE customer. I am not sure if other email subscriptions would have also indicated the change (e.g., one that a developer would be subscribed to).

John Vogel

Hi @Steven Cinquegrana, If you have MFA enforced on any solution you are authorized to access then MFA will be enforced on your Blackbaud ID, regardless of what you're attempting to access after authentication.

As Michael noted, emails were sent to all RE & FE customers. Specifically, we sent emails to all Organization Admins for customers within the planned rollout waves that have any RE or FE on Blackbaud ID. If you did not receive a communication yet and your Blackbaud ID has MFA enforced, then you must have access to a customer's environment that was included in the enforcement.