Two-Factor Authentication via Email Messages

Have more questions? Submit a request

Introduction

The Services Manager allows you to setup and manage external service providers. One service is two-factor authentication (2FA). This adds a layer of security. It can be added for administrators and/or customers. It can be done via email messages, text messages, or an authenticator app on a mobile phone. This article covers the email message option.

You will need to add the SMTP Service Provider, add it as a Secondary Authentication provider, and enable it for Administrators. You can either require all Administrators to use 2FA, or you can let each Administrators choose whether or not to use it. Customers can choose whether or not to use it - you cannot require them to use it.

Getting Started

There are two System Configurations related to the feature. Log into your Administrative console, navigate to Settings -> Setup -> Configuration. Search for "2fa." There is a configuration titled, "Require Secondary Authentication (2FA) for Admin Users." Turn it ON and click the "Save" button if you are going to require all of your Administrators to use secondary authentication. Leave it OFF if you are going to allow Administrators to choose to use it.
configio.png

Adding the SMTP Service Provider

Log into your Administrative console, navigate to Settings -> Setup -> Services Manager. Select Services.
configio.png

Click the Add New button.
configio.png

Select the Configio Service Provider link.
configio.png

Select SMTP, (optionally) update the Title, and click the Save button.
configio.png

 

Adding a Secondary Authentication Provider

Return to Settings -> Setup -> Services Manager and click the Secondary Auth button.

 

Click the Add New button.
configio.png

Choose the SMTP Service Provider, input a Title, and click the Save button.
configio.png

Enabling/Disabling Two Factor Authentication for Admins

Return to Settings -> Setup -> Services Manager. Click the Two Factor Auth button in the Admin Authentication section.
configio.png

Switch the Allowed toggle from Inactive to Active. This will enable it. Switching back to Inactive will disable it.configio.png

Enabling/Disabling Two-Factor Authentication for Customers

Return to Settings -> Setup -> Services Manager. Click the Two Factor Auth button in the Customer Authentication section.
configio.png

Switch the Allowed toggle from Inactive to Active. This will enable it. Switching back to Inactive will disable it.
configio.png

The Customer's Experience - Setting-up Verification

Your customer will login as normal. If they go to the Account Settings page, they will see a link to Two-Factor Authentication.

configio.png
 
They can then click the "Add" button.
configio.png


Clicking it returns the Two-Factor Authentication page. Here, they can select the SMTP verification type (if necessary), input their email address, and click the "Send Code" button.
configio.png


They will then be sent an email message with a Verification Code, and they will be shown a screen to input that code and click the Verify button.
configio.png

If successful, there will now an Secondary Authentication Entry on that Admin Account, and the next time that they login, they will be asked to authenticated by text message. Note: If unsuccessful, they will have the opportunity to have the system send another text message with a new code.
configio.png

The Customer's Experience - Authenticating the Login

Your customer will login as normal. The system will send them a verification code, and they will see an additional screen to input the code and click the Verify button. If they don't want to go through the verification step again, then they also check "Trust this device." If the code doesn't work, they can click the "Send New Code" button.

Note : The "Trust this Device" feature works on a cookie. That cookie is for only that web browser, so if they login via another browser, then they will need to verify. Likewise, if they clear their cookies on the browser, they will need to verify. Cookies also can expire, and so they will need to re-verify if it does.
configio.png

After they Verify, they can use the Shopping Cart as usual.

The Customer's Experience - Managing Two-Factor Authentication

If your customer no longer wants two-factor authentication on their account, they manage that from the settings page. Clicking the delete icon will remove it.
configio.png

 

The Administrator's Experience - Setting-up Two-Factor Authentication

Your admin will login to the administrative console. They will go to Settings -> Setup -> Users and select the Edit Icon on their account.

configio.png
 
They will then click the Security button.
configio.png
 
They will then select the Add button.
configio.png
 
They will select (if necessary) SMTP as the verification type and select the "Send Code" button.
configio.png
 


They will then be sent a email with a Verification Code, and they will be shown a screen to input that code and click the Verify button.
configio.png

If successful, the Account will now be setup with Secondary Authentication. The next time that they login, they will be asked to authenticated by email message.
configio.png

 

The Administrator's Experience - Using Two-Factor Authentication

Your Administrator will login as normal. The system will send them a verification code, and they will see an additional screen to input the code and click the Verify button. If they don't want to go through the verification step again, then they also can check "Trust this device." If the code doesn't work, they can click the "Send New Code" button.

Note : The "Trust this Device" feature uses a cookie. That cookie is only for that web browser, so if they login via another browser, they will need to re-verify. Likewise, if they clear their cookies on the browser, they will need to re-verify. Cookies also can expire, and so they will need to re-verify if it does.
configio.png

After they verify, they can use the Administrative Console as normal.

The Administrator's Experience - Managing Two-Factor Authentication

Your Administrator can manage their two-factor authentication settings via the User Security page. The page can be accessed via the My Profile link in the upper-right hand menu.
configio.pngThen by clicking the Edit Icon on their Account.
configio.pngThen clicking the Security button.
configio.png

Here on the User Security page, they can remove Two-Factor Authentication. They can also re-add it here.
configio.png

Articles in this section

Was this article helpful?
0 out of 0 found this helpful