Security is always at the top of our priority list at ActBlue, which is why we strongly recommend admins of campaigns and organizations turn on two-factor authentication (2FA). For the safest, most secure experience possible, we recommend using the Google Authenticator app (more on its specifics later).
Why Is 2FA Important?
First off, what is 2FA? 2FA acts as an extra layer of protection for your staff’s ActBlue logins, requiring users to provide two different, independent pieces of verification to confirm their identity when logging in. After filling out the usual combination of username and password, a common form of 2FA requires users to enter an authentication code that is randomly generated by a separate app on a phone.
Besides helping secure routine logins, 2FA becomes especially important in guarding your account when logging in from a new device. You’ll need to confirm your login information using 2FA, which will make it harder for someone else to impersonate you.
Setting Up 2FA With Google Authenticator
We’ve offered 2FA on ActBlue admin accounts since 2016, but now we strongly recommend securing your account with 2FA by specifically using the Google Authenticator app. Google Authenticator is a Time-based One-Time Password (TOTP) app, which significantly upgrades your account’s security by using algorithms to produce authentication codes. When you use Google Authenticator, you will not receive text messages or voice calls as part of the verification process as those methods are vulnerable to social engineering attacks.
Setting up 2FA with Google Authenticator is simple and only takes a few minutes. The easiest way is to log in to your account and click on the Manage menu in your navigation bar at the top. You’ll see a message regarding 2FA at the top. Click on “Enable two-factor authentication” to begin protecting your account.
You’ll also see a message regarding enabling 2FA at the top of your Dashboard.
Finally, you can enable 2FA by clicking on the “Settings” tab in the Manage menu and clicking “Enable” next to “Two-factor authentication” on the Settings page.
Wherever you begin, you’ll be brought to the “Enable two-factor authentication” page where you’ll find instructions for downloading Google Authenticator on your phone or tablet.
After downloading Google Authenticator, open the app and select “Begin Setup” and then “Scan barcode.”
Scan the barcode on our page with the app and get ready to receive your first authentication code!
The app will generate a six-digit code that you can enter in the box at the bottom of our page. After entering the code, click the "Verify and enable" button to complete the setup process.
From then on, you’ll be asked to enter a Google Authenticator code when logging in to your ActBlue account on an intermittent basis or when you use a new device.
You can also check to see whether other admins who manage an entity with you have turned on 2FA. Head back to your entity’s Dashboard, where you can find the User Access tab in the Dashboard toolbar under “Admin.” Clicking on the User Access tab allows you to see all admins with access to your entity and whether they have enabled 2FA. Better yet, you can also see if they are using a TOTP app such as Google Authenticator or another type of app for their 2FA.
If you are already using another 2FA app like Authy and would prefer not to switch to Google Authenticator, we strongly recommend disabling the Authy Multi-Device feature. This feature makes your account vulnerable to social engineering attacks. See number three — “Enable (or disable) Authy Multi-Device” — on this page for instructions.
Using 2FA with a phone app like Google Authenticator tends to be easiest for most ActBlue admins, but our platform also supports YubiKeys (a physical device that you insert into your computer, similar to a USB drive). YubiKeys users can now log in to ActBlue with codes generated by the Yubico Authenticator desktop app for 2FA.
Backup Codes for 2FA
Since 2FA most often depends on an app on your mobile device, we highly recommend that you generate backup codes that let you log in to your 2FA-protected account in case you lose your phone.
The easiest way to generate 2FA backup codes is to follow the instructions in the pop-up right after you enable two-factor authentication.
You can also find this pop-up with your backup codes by clicking on “Settings” in the Manage menu, which will bring you to the “Security” tab.
On this page you can see whether you’ve turned on 2FA, enabled TOTP, and generated backup codes for your account.
Click the “Generate” button next to “Backup codes.” (Note that you need to have 2FA enabled before generating backup codes).
After entering your ActBlue password for security purposes, the pop-up with your backup codes will appear! You must save these backup codes immediately after generating them. Click “Download” to download the codes as a CSV file. We recommend you click “Copy” to copy and paste your codes into a secure password manager like 1Password for safekeeping instead of leaving them in your computer’s Downloads folder.
After generating backup codes for your ActBlue account, you should get an email from ActBlue Security Alerts at email@example.com that confirms that it was you who generated these backup codes. This is an added layer of security and a way to make sure you successfully secured your account.
After you leave the “Generate backup codes” pop-up, your backup codes will be hidden to keep your account as secure as possible. This means that if you did not download or copy and paste your backup codes, you will have to generate a new batch of backup codes. You can do this by navigating back to the “Security” tab and clicking the “Generate” button.
Each backup code is one-time use only — once you use it, you will not be able to use it again. If you are running low on backup codes, you can generate a new batch at any time! And if you change your two-factor authentication device, please note that you will have to generate new backup codes for your new device.
Two-factor authentication is a smart and easy way to protect yourself and your organization from increasing digital attacks. If we can help you set up 2FA or answer any questions you might have about our recommendations, drop us a line at firstname.lastname@example.org.