Documentation Index

Fetch the complete documentation index at: https://www.civicplus.help/llms.txt

Use this file to discover all available pages before exploring further.

June 26, 2026 Platform Release Notes

  • Updated on Jun 30, 2026
  • Published on Jun 26, 2026
  • 2 minute(s) read
Prev Next

Released Enhancements

Two-Factor Authentication Email Support

We’re improving how CivicPlus accounts are protected by expanding multi-factor authentication (MFA) options. This helps organizations reduce the risk of account takeovers (like phishing and password reuse) while still keeping sign-in practical for all users.

Why This Matters

MFA adds a second step to confirm it’s really you signing in, so even if a password is stolen, unauthorized access is much harder.

What’s New / What’s Changing

  • Authenticator App (recommended): This is the strongest and most reliable option for protecting accounts.

  • Email MFA (new option): A good fallback for users who can’t or don’t want to use an authenticator app, while still improving security compared to password-only login.

What this Enables for Organizations

Stronger, Organization-Level Protection

Organizations will be able to require MFA for eligible users, helping ensure consistent security across teams, especially important for accounts tied to high-impact communications and administration.

Notes:

  • If forced MFA/2FA is enabled at the organization level, users who sign in through an external IdP are not subject to CivicPlus Authentication’s forced MFA prompt. Instead, MFA/2FA is governed by whatever controls are enforced by that external IdP. This is intentional to avoid creating a double MFA flow for users who would otherwise be challenged once by CivicPlus Auth and again by their IdP.

  • This applies to CivicPlus Authentication accounts controlled by an external IdP, whether private or public, and regardless of the organization’s MFA option, such as authenticator app or email. Because CivicPlus cannot confirm or prove that an external IdP is enforcing MFA, organizations should ensure their IdP policies meet their security requirements. The expected use case is primarily private IdP or staff access; staff logins through public IdPs such as Google or Facebook should be limited or avoided.

Smoother Onboarding and Fewer Support Gaps

We’re also improving the behind-the-scenes setup so:

  • Users are correctly associated with their organization based on verified domains

  • New users can be prompted to set up MFA when required

  • MFA enforcement can be applied more consistently (without blocking users who sign in through an external identity provider)

How it Will Work for Users

When your organization requires MFA, after you enter your email and password:

  1. You’ll choose or be prompted for your MFA method (depending on what’s allowed/required)

  2. If using an authenticator app, you’ll confirm with a code from the app.

  3. If using email MFA, you’ll receive a code by email and enter it to finish signing in.

  4. On all logins, you will be required to authenticate using email/password, and then using your second stored method.

  5. Depending on an organization’s requirements, users may change their method of 2FA by accessing their account in the CivicPlus Account Service.

Recommendation to Constituents

We strongly recommend using an authenticator app for the best protection.

Email MFA is a second option for teams with adoption constraints, and it’s still a security upgrade over password-only access.

Related articles

© 2026 CivicPlus | The Civic Impact Platform

YouTube icon. Facebook icon. LinkedIn icon. X icon.