Skip to main content
All CollectionsSecurity & Access ControlGetting Started
How do I enable two-factor authentication?
How do I enable two-factor authentication?

Describes options for enabling and requiring two factor authentication for user logins.

Updated over a week ago

Two-factor authentication provides an extra layer of security for user accounts by requiring a 6-digit code in addition to their password. The 6-digit code expires every 30 seconds and must be retrieved from the Google Authenticator app, which must be installed on the phone. This is a free app available on both iOS and Android.

Adding one more step of authenticating your identity makes it harder for an attacker to access your data. This drastically reduces the chances of fraud, data loss, or identity theft because logging in would require physical access to the user's phone in addition to their password.

Enabling your own user account

Log into One Church as you normally do and then go to "Username/Password" under your user menu in the upper right.

A pop up will appear that includes a section named "Two Factor Authentication." Click on the "Turn on" button.

Afterwards, a list of instructions will appear. You will need to install Google Authenticator on your phone. This is a free app available on both iOS and Android. The app will auto-generate the 6-digit codes you would need to log into your account after enabling two-factor authentication.

Follow the instructions and enter the 6-digit code at the bottom to complete activation. Note, two-factor authentication can be disabled at any time by coming to this same screen and clicking on the "Turn off" button.

Requiring on someone else's user account

You will need the Limited Permission and Full Write People permissions to perform this action.

Navigate to the person's profile and go to Actions > Change username/password in the upper right. A pop up will appear. Toggle the "Required?" field to "Yes" and click on the "Save" button at the bottom.

With two-factor authentication set as required, the next time this user logs into the system, they will be required to set up two-factor authentication. This will happen from the login screen before they are granted access to the system. They must set this up before being able to log into the system.

Setting security policy for the entire organization

You are also able to set a two-factor authentication policy for users of the system. This controls who is required to set up two-factor authentication before being able to log into the system.

You will need the Limited Account permission to perform this action.

Go to Account Settings > Options > General > Person Profiles from the top of the side menu.

The available policies are:

  • As needed - no one is required to have two-factor authentication by default. However, you can still require it on a per-user basis (see previous section on how).

  • All non-guest users - this requires two-factor authentication for any users that do not have the role of "Guest." Use this option to require it for everyone except normal congregation members.

  • Everyone - this will force everyone to have two-factor authentication when they log in. This includes normal members of your congregation as well.

Note: Due to the highly sensitive nature of disabling 2FA for an account that isn’t yours, this is one of those very rare cases where only a Super User is allowed to perform this action. Ideally, it would be the person who deactivates 2FA on their end. A Super User is able to do it on their behalf in cases where they lost their phone or otherwise are unable to generate the passcode anymore for some reason.

Did this answer your question?