ActBlue admins will notice something new on their Dashboard starting today: A message regarding two-factor authentication.
Two-factor authentication (2FA for short) is a security protocol that requires users to provide two different, independent pieces of verification to confirm their identity when logging into an online account. A common form of 2FA requires users to enter a username and password combination AND an authentication code that is randomly generated by a separate app on a phone. We’ve offered 2FA on ActBlue admin accounts since 2016. Today, we’re releasing new 2FA recommendations and options to reflect current best practices.
1. We strongly recommend setting up 2FA with Google Authenticator for your ActBlue account today, even if you are already using a different 2FA application (and especially if you are not currently using 2FA). Google Authenticator is a Time-based One-Time Password (TOTP) app. TOTP apps are the most secure 2FA option because they use algorithms to generate authentication codes. When you use Google Authenticator with your ActBlue account, you will not receive text messages or voice calls as part of the verification process as those methods can be vulnerable to social engineering.
To start using Google Authenticator with your ActBlue account, simply log in to ActBlue and then follow the link in the message at the top of your Dashboard (pictured above). You’ll be brought to a page where you can download Google Authenticator on your phone or tablet.
Open the app and select “Begin Setup” and then “Scan barcode.”
Scan the barcode on our page. The app will then show you an authentication code, which you should enter in the “Confirmation code” box on our page. Please note that every code will disappear in the app after a few seconds, but the app will constantly generate new ones (so don’t worry if you are too slow entering it the first time).
Click the orange button at the bottom of our page to complete the setup process! From then on, you will be asked to enter a Google Authenticator code when logging in to your ActBlue account on an intermittent basis or any time you log in on a new device.
2. If you currently use the 2FA application Authy and do not want to switch to Google Authenticator, we strongly recommend disabling the Authy Multi-Device feature. This feature leaves your account vulnerable to social engineering. See number three — “Enable (or disable) Authy Multi-Device” — on this page for instructions. Or just set up Google Authenticator instead. It only takes a few minutes!
3. We are excited to now support YubiKeys for 2FA! While using an app on a phone like Google Authenticator will be easiest for most ActBlue admins, we’re always striving to be on the cutting-edge. Now, if you have a YubiKey (a physical device that you insert into your computer, similar to a USB drive), you can use it with codes generated by the Yubico Authenticator desktop application for your 2FA.
Two-factor authentication is one of the best ways you can protect yourself and your organization from attacks. If we can help you deploy 2FA to your entire campaign or organization on ActBlue, or if you have any questions about these recommendations, contact us at firstname.lastname@example.org!