MFA and password policies
Authentication is the church’s first line of defense. Ministrium applies strict password policies and mandatory MFA (Multi-Factor Authentication) for privileged roles.
Password policy
Every password in Ministrium must meet:
- Minimum 12 characters.
- At least one uppercase letter, one lowercase, one number, and one symbol.
- Not on the list of compromised passwords (we validate against the public Have I Been Pwned dataset when the password is created or changed).
- Not reusing the user’s last 5 passwords.
We do not require periodic forced rotation. Modern guidelines (NIST SP 800-63B) show that mandatory rotation pushes users toward predictable passwords. Instead:
- We force immediate change if we detect a password in a public breach.
- We force change if suspicious activity is detected on the account.
Mandatory MFA for privileged roles
The following roles require MFA from the first login:
- admin
- pastor
- accountant
- finance
For all other roles (supervisor, secretary, ministry_leader, cell_leader, member), MFA is optional but strongly recommended and can be activated from the user profile.
Supported second-factor methods
| Method | Recommendation |
|---|---|
| TOTP (Google Authenticator, Authy, 1Password, Bitwarden) | Recommended. Works without Internet, doesn’t depend on the cellular operator. |
| WebAuthn / Passkeys | Recommended for admin roles. Hardware keys (YubiKey) or device biometric passkeys. |
| SMS | Available as a fallback, not as the primary method. SMS is vulnerable to SIM swapping. |
| Backup codes | 10 single-use codes delivered when activating MFA, for use when the second factor is lost. |
Account recovery
If the user loses access to the second factor:
- They can use one of their backup codes generated when activating MFA.
- If they don’t have codes either, the church admin can reset the user’s MFA from Church → Team → Edit user → Reset MFA.
- If the one who lost MFA is the only admin, write to soporte@ministrium.com from the church’s institutional email. We verify identity through out-of-band channels before resetting.
Every reset is logged in the audit with who did it, when, and from which IP.
Session policies
- Short-lived access tokens (15 minutes), automatically renewed with refresh tokens.
- Revocable refresh tokens: signing out invalidates them immediately.
- Automatic session timeout from inactivity after 8 hours on kiosks, 24 hours on desktop.
- Detection of suspicious concurrent sessions (geographic IP or country change); in that case we force re-authentication.
- Password change revokes all active sessions of the user.
Lockout from failed attempts
- After 5 consecutive failed attempts, the account is locked for 15 minutes.
- After 15 failed attempts in one hour from different IPs, an extended 24-hour lockout is applied and the admin is notified.
- The admin can manually unlock from Church → Team → Edit user → Unlock.
Suspicious activity detection
Ministrium automatically monitors:
- Logins from countries or regions new to the user.
- Multiple logins in very short time from different IPs.
- Unusual data access patterns for the role.
When suspicious activity is detected:
- The user is notified by email.
- The church admin is notified.
- Re-authentication with MFA is forced.
If you receive a suspicious activity notification you don’t recognize, change your password immediately and notify soporte@ministrium.com.
SSO (Single Sign-On) for enterprise plans
Large churches or denominations can activate SSO against their identity provider (Google Workspace, Microsoft Entra ID, Okta) on enterprise plans. This:
- Centralizes user management in the organization’s directory.
- Applies the identity provider’s MFA policies.
- Allows immediate deactivation when a collaborator leaves the church.
To activate SSO, write to ventas@ministrium.com.
Next steps
- Encryption — how passwords and tokens are protected.
- Audit and logs — what is logged from each login.
- Roles and permissions — what each role can do after authenticating.