Givebacks is adding multi-factor authentication (MFA) to help keep user accounts more secure.
MFA adds an extra security step during sign-in. In addition to entering a password, a user may need to enter a one-time passcode sent to the email address connected to their Givebacks account. This helps protect your organization’s account, even if a password is lost, guessed, or shared.
How MFA works
When you sign in to Givebacks, a one-time passcode may be sent to the email address connected to your account.
To complete sign-in, you will need to enter that code.
MFA applies to all Admin types-Admin, Custom, and Faculty.
If your organization uses the Givebacks Point of Sale app, MFA may also be required when signing in there.
MFA verification is required on each device that a user wants to use and on each browser.
If the same user signs in from multiple devices, they may need to complete MFA verification on each device.
Whether a one-time passcode is required again depends on whether the user logs out, whether they selected a trusted browser or device, and how long it has been since that trust was set.
Note: MFA applies only to logins using an email address and password, not to Google or Apple logins.
When a one-time passcode is required
How often a user needs to enter a one-time passcode depends on whether they are signing in through a web browser or through the POS app.
Web browser
The first time a user signs in, or any time they sign in after logging out, a one-time passcode is sent to the email address on file.
At sign-in, the user can choose Trust this browser for 60 days.
If they do not select the trusted browser option, a one-time passcode will be required the next time they log in.
If they do select the trusted browser option, they can log back in on that browser within 60 days without entering another one-time passcode.
Givebacks automatically logs web users out only after 90 days of inactivity. This 90-day session timeout is separate from the 60-day trusted browser setting.
As long as a user remains active within that 90-day period, they will not be logged out and will not need to re-enter a one-time passcode.
If a user logs out and then logs back in within the 60-day trusted browser period, no one-time passcode is required. If more than 60 days have passed, a one-time passcode is required again.
POS app
The first time a user signs in, or any time they sign in after logging out, a one-time passcode is sent to the email address on file.
At sign-in, the user can choose Trust this device for 60 days.
If they do not select the trusted device option, a one-time passcode will be required the next time they log in.
If they do select the trusted device option, they can log back in on that device within 60 days without entering another one-time passcode.
Unlike the web browser, the POS app does not automatically log users out after 90 days of inactivity.
If a user stays logged in to the POS app and never logs themselves out, they will not need to sign in again and will not need another one-time passcode, unless Apple causes a sign-out outside of Givebacks' control.
If a user logs out and then logs back in within the 60-day trusted device period, no one-time passcode is required. If more than 60 days have passed, a one-time passcode is required again.
Make sure you have access to the account email
The one-time passcode is sent to the email address connected to your Givebacks account.
Before signing in, make sure your organization knows who owns or monitors that email inbox.
If you personally do not have access to the email address used for the Givebacks account, contact the person in your organization who owns or manages that email. That person will need to receive the one-time passcode and help confirm access when needed.
If your organization uses the same email on multiple devices
Some organizations use the same email to sign in to Givebacks on multiple devices. If your organization does this, the owner of that email inbox should know that MFA codes may be sent to them when someone signs in.
Because MFA verification is required on each device and browser, the email owner may need to help provide a one-time passcode for each device or browser that needs access.
The email owner may need to help confirm access when:
Someone signs in to the account after logging out.
Someone signs in from a new device.
Someone signs in from a different browser.
The same login email is used on multiple devices.
A trusted browser or device is no longer within its 60-day trust period.
What to do if you do not have access to the email
If you do not have access to the email connected to the Givebacks account, contact the person in your organization who owns or monitors that inbox. That person will need to provide the one-time passcode when MFA verification is required.
If no one in your organization has access to the email address, or if the account email needs to be updated, contact Givebacks Support.
Best practices
To help avoid sign-in issues, we recommend the following:
Confirm which email is connected to your Givebacks account.
Make sure someone in your organization has access to that inbox.
Identify the email owner before MFA verification is required.
Make sure the email owner knows MFA may be needed on each device and browser.
Add noreply@notifications.givebacks.com to your Safe Senders or Contact list.
Contact Givebacks Support if your organization no longer has access to the email.
Questions? Click the "?" icon to contact Givebacks Support.