Security is always at the top of our priority list at ActBlue, which is why we strongly recommend admins of campaigns and organizations turn on two-factor authentication (2FA). For the safest, most secure experience possible, we recommend using the Google Authenticator app (more on its specifics later).
First off, what is 2FA? 2FA acts as an extra layer of protection for your staff’s ActBlue logins, requiring users to provide two different, independent pieces of verification to confirm their identity when logging in. After filling out the usual combination of username and password, a common form of 2FA requires users to enter an authentication code that is randomly generated by a separate app on a phone.
Besides helping secure routine logins, 2FA becomes especially important in guarding your account when logging in from a new device. You’ll need to confirm your login information using 2FA, which will make it harder for someone else to impersonate you.
We’ve offered 2FA on ActBlue admin accounts since 2016, but now we strongly recommend securing your account with 2FA by specifically using the Google Authenticator app. Google Authenticator is a Time-based One-Time password (TOTP) app, which significantly upgrades your account’s security by using algorithms to produce authentication codes. When you use Google Authenticator, you will not receive text messages or voice calls as part of the verification process as those methods are vulnerable to social engineering attacks.
Setting up 2FA with Google Authenticator is simple and only takes a few minutes. The easiest way is to log in to your account and click on the User menu in the upper right-hand corner. You’ll see a message regarding 2FA at the top. Click on “Enable two-factor authentication” to begin protecting your account.
You’ll also see a message regarding 2FA at the top of your Dashboard. Whether you click on “Enable two-factor authentication” from the User menu or follow the link at the top of your Dashboard, you’ll be brought to a page where you can download Google Authenticator on your phone or tablet.
Open the app and select “Begin Setup” and then “Scan barcode.”
Scan the barcode on our page with the app and get ready to receive your first authentication code! The app will generate a code that you can enter in the “Confirmation code” box on our page. After entering the code, click the orange button at the bottom of our page to complete the setup process. From then on, you’ll be asked to enter a Google Authenticator code when logging in to your ActBlue account on an intermittent basis or when you use a new device. Here’s what that page will look like:
You can also check to see whether other admins who manage an entity with you have turned on 2FA. Head back to your entity’s Dashboard, where you can find the “User Access” tab at the bottom of the Dashboard menu. Clicking on the “User Access” tab allows you to see all admins with access to your entity and whether they have enabled 2FA. Better yet, you can also see if they are using a TOTP app such as Google Authenticator or another type of app for their 2FA.
If you are already using another 2FA app like Authy and would prefer not to switch to Google Authenticator, we strongly recommend disabling the Authy Multi-Device feature. This feature makes your account vulnerable to social engineering attacks. See number three — “Enable (or disable) Authy Multi-Device” — on this page for instructions.
Using 2FA with a phone app like Google Authenticator tends to be easiest for most ActBlue admins, but our platform also supports YubiKeys (a physical device that you insert into your computer, similar to a USB drive). YubiKeys users can now log in to ActBlue with codes generated by the Yubico Authenticator desktop app for 2FA.
Backup Codes for 2FA
Since 2FA most often depends on an app on your mobile device, we highly recommend that you generate backup codes that let you log in to your 2FA-protected account in case you lose your phone.
The easiest way to find your 2FA backup codes is clicking on the User menu in the upper right-hand corner. You’ll see a message about backup codes at the top, where you should click on “Generate backup codes.”
You can also find your backup codes by heading to the My account tab under the User menu. You’ll find “Security” near the bottom of the tab. Clicking on the “Security” link brings you to the same page that the backup codes message at the top of your User menu does. On this page you can see whether you’ve turned on 2FA, enabled TOTP, and generated backup codes for your account.
Click the orange “Generate backup codes” button. (Note that you need to have turned on 2FA before generating backup codes).
You’ll be asked to verify your ActBlue password to continue generating your backup codes.
Once you’ve typed in your ActBlue account’s password and clicked the “Verify” button, your backup codes will appear. You must save these backup codes immediately after generating them. Click “Download” to download the codes as a CSV file, or we recommend you click “Copy” to copy and paste your codes into a secure password manager like 1Password for safekeeping.
After generating backup codes for your ActBlue account, you should find an email from ActBlue Security Alerts at email@example.com that confirms that it was you who generated these backup codes. This is an added layer of security and a way to make sure you successfully secured your account.
After you leave the “Security” page, your backup codes will be hidden to keep your account as secure as possible. This means that if you did not download or copy and paste your backup codes, you will have to generate a new batch of backup codes. You can do this by navigating back to “Security” and clicking the orange “Generate new backup codes” button.
Two-factor authentication is a smart and easy way to protect yourself and your organization from increasing digital attacks. If we can help you set up 2FA or answer any questions you might have about our recommendations, drop us a line at firstname.lastname@example.org.