Introduction
The Services Manager allows you to setup and manage external service providers. One service is two-factor authentication (2FA). This adds a layer of security. It can be added for administrators and/or customers. It can be done via email messages, text messages, or an authenticator app on a mobile phone. This article covers the email message option.
You will need to add the SMTP Service Provider, add it as a Secondary Authentication provider, and enable it for Administrators. You can either require all Administrators to use 2FA, or you can let each Administrators choose whether or not to use it. Customers can choose whether or not to use it - you cannot require them to use it.
Getting Started
There are two System Configurations related to the feature. Log into your Administrative console, navigate to Settings -> Setup -> Configuration. Search for "2fa." There is a configuration titled, "Require Secondary Authentication (2FA) for Admin Users." Turn it ON and click the "Save" button if you are going to require all of your Administrators to use secondary authentication. Leave it OFF if you are going to allow Administrators to choose to use it.
Adding the SMTP Service Provider
Log into your Administrative console, navigate to Settings -> Setup -> Services Manager. Select Services.
Click the Add New button.
Select the Configio Service Provider link.
Select SMTP, (optionally) update the Title, and click the Save button.
Adding a Secondary Authentication Provider
Return to Settings -> Setup -> Services Manager and click the Secondary Auth button.
Click the Add New button.
Choose the SMTP Service Provider, input a Title, and click the Save button.
Enabling/Disabling Two Factor Authentication for Admins
Return to Settings -> Setup -> Services Manager. Click the Two Factor Auth button in the Admin Authentication section.
Switch the Allowed toggle from Inactive to Active. This will enable it. Switching back to Inactive will disable it.
Enabling/Disabling Two-Factor Authentication for Customers
Return to Settings -> Setup -> Services Manager. Click the Two Factor Auth button in the Customer Authentication section.
Switch the Allowed toggle from Inactive to Active. This will enable it. Switching back to Inactive will disable it.
The Customer's Experience - Setting-up Verification
Your customer will login as normal. If they go to the Account Settings page, they will see a link to Two-Factor Authentication.
Clicking it returns the Two-Factor Authentication page. Here, they can select the SMTP verification type (if necessary), input their email address, and click the "Send Code" button.
They will then be sent an email message with a Verification Code, and they will be shown a screen to input that code and click the Verify button.
If successful, there will now an Secondary Authentication Entry on that Admin Account, and the next time that they login, they will be asked to authenticated by text message. Note: If unsuccessful, they will have the opportunity to have the system send another text message with a new code.
The Customer's Experience - Authenticating the Login
Your customer will login as normal. The system will send them a verification code, and they will see an additional screen to input the code and click the Verify button. If they don't want to go through the verification step again, then they also check "Trust this device." If the code doesn't work, they can click the "Send New Code" button.
Note : The "Trust this Device" feature works on a cookie. That cookie is for only that web browser, so if they login via another browser, then they will need to verify. Likewise, if they clear their cookies on the browser, they will need to verify. Cookies also can expire, and so they will need to re-verify if it does.
After they Verify, they can use the Shopping Cart as usual.
The Customer's Experience - Managing Two-Factor Authentication
If your customer no longer wants two-factor authentication on their account, they manage that from the settings page. Clicking the delete icon will remove it.
The Administrator's Experience - Setting-up Two-Factor Authentication
Your admin will login to the administrative console. They will go to Settings -> Setup -> Users and select the Edit Icon on their account.
They will then be sent a email with a Verification Code, and they will be shown a screen to input that code and click the Verify button.
If successful, the Account will now be setup with Secondary Authentication. The next time that they login, they will be asked to authenticated by email message.
The Administrator's Experience - Using Two-Factor Authentication
Your Administrator will login as normal. The system will send them a verification code, and they will see an additional screen to input the code and click the Verify button. If they don't want to go through the verification step again, then they also can check "Trust this device." If the code doesn't work, they can click the "Send New Code" button.
Note : The "Trust this Device" feature uses a cookie. That cookie is only for that web browser, so if they login via another browser, they will need to re-verify. Likewise, if they clear their cookies on the browser, they will need to re-verify. Cookies also can expire, and so they will need to re-verify if it does.
After they verify, they can use the Administrative Console as normal.
The Administrator's Experience - Managing Two-Factor Authentication
Your Administrator can manage their two-factor authentication settings via the User Security page. The page can be accessed via the My Profile link in the upper-right hand menu.
Then by clicking the Edit Icon on their Account.
Then clicking the Security button.
Here on the User Security page, they can remove Two-Factor Authentication. They can also re-add it here.