Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt

On this page, we analyze the feature of Two Factor Authentication (2FA) mechanism along with its functionality and the way you can enable it in your BSS platform.

The feature of Two-Factor Authentication (2FA) via Email, enables BSS administrators to offer BSS users an extra layer of user-friendly protection during their login by enhancing the security of the platform and the privacy of the accounts. Specifically, with 2FA, a user needs to provide two different identity verification factors to confirm their identity, adding an additional layer of security beyond a password. Therefore, this feature grants users greater autonomy over their authentication preferences, aligning with the need for customizable security measures in your digital systems.

Image Removed

Enabling the 2FA Mechanism

To enable the 2FA mechanism, you have to proceed with the two following actions:

Enable

Rw ui textbox macro
typenote

Mandatory Two-Factor Authentication (2FA) in BSS After April 15, 2024

Since our goal is to bolster security and protect user accounts by requiring an additional layer of verification during local login, what you need to know is the following:

  • Grace Period For Existing Organizations: For existing organizations, with the 3.28.138 release, the enforced 2FA will be accomplished on April 15, 2024.This means that there will be no grace period for existing organizations.

  • Grace Period for New Organizations: With the establishment of a new BSS organization, Two Factor Authentication (2FA) is inactive by default and the grace period for setting up and adapting BSS users to use 2FA begins. The grace period for new organizations is 60 days and is calculated as follows:

    grace period = new organization creation date + 60 days

    The same grace period applies to creating a new Tenant organization regardless of the choices the Root/Parent has made in the organization to which the Tenant belongs.

Therefore, before the 15th of April 2024, BSS users can continue utilizing their local login credentials without 2FA. However, we strongly encourage everyone to enable 2FA promptly. After the 15th of April 2024 when the grace period ends, especially for existing organizations, the 2FA login mechanism becomes mandatory for all BSS users and the 2FA toggle option (located within the BSS Setup>Administration>System Options>Authentication Options section) will disappear.

If an existing or new organization, either Root or Tenant, wants to extend the grace period, they can request it from our Support Team.

Image Added

Enabling the 2FA Mechanism


You can enable the 2FA mechanism from within the BSS platform by navigating to the BSS Setup > Administration > System Options > User Authentication > Authentication Options and clicking on the BSS Options -> Two Factor Authentication (2FA) toggle button to activate it (1), which by default is inactive. After enabling the 2FA toggle button, you must save this change by clicking on the Save button (2). Otherwise, the enablement of the 2FA mechanism will not be applied.

Image RemovedImage Added

Once you have enabled the 2FA toggle button for the BSS platform and saved the change, the 2FA Email Notification is also enabled automatically. However,

you must also enable the 2FA Email Notification. By

the notification will not be deactivated if the Two Factor Authentication (2FA) toggle is deactivated. You must visit the notification BSS Setup > Administration > Notifications > Customer Notifications to deactivate it manually.
Moreover, if you wish to customize the 2FA Email Notification, according to your needs and business image, you can do it by either clicking at the end of the “You can edit the BSS 2FA notification email body, by clicking here“ text or by navigating to the BSS Setup > Administration > Notifications > Customer Notifications and selecting first the Group User Directory and then the Notification ‘Cloud Platform 2FA Verification Code’, where you can view the systemic Email notification

, where inside the General section, you need to click on the Active notification checkbox to enable it, because by default it is disabled. After enabling the Active notification checkbox, you must save this change

. Once you have completed your edits, you must save them by clicking on the Save button. Otherwise, the

enablement of

changes to the 2FA notification will not be applied.


Image Removed

Once you have enabled the 2FA mechanism and its respective notification, from your BSS platform for the BSS, you can then proceed to customize, according to your needs and business image, the notification/verification template of the email that will be dispatched to your users each time they log into the platform with their credentials.

Image Added
Rw ui textbox macro
typenote

2FA Requires Accessible & Valid Emails

We already assume that the email addresses provided by the BSS users are real and accessible. This assumption ensures that when the system sends verification codes and notifications via email, the users can access these emails once both the 2FA (Two-Factor Authentication) mechanism and the respective Email notification are enabled.

Logging into BSS with 2FA


The classic login method in the BSS platform remains the same, but the 2FA security step enriches it. Specifically, the BSS user enters the credentials required for logging in, which include the client ID, username, and password, or if a URL with an alias is used, then only the username and password are used. Whether the user has organization Administrative rights or is a regular user, during the login process with local login credentials, they will go through the 2FA authentication procedure when it is enabled*.

Rw ui textbox macro
typeinfo

* Single Sign On & 2FA

When the BSS user has an external Single-Sign-On (SSO) system enabled, such as Azure AD or Azure AD B2C (OIDC) or Google, as their method of authentication, then the process with the 2FA verification does not apply.

Once the BSS user clicks the login button and passes the existing credentials verification, two actions occur:

  1. A pop-up window opens, requesting the 2FA Verification Code.

  2. An email is dispatched to the BSS account's email address belonging to the user.

Verification Code Pop-up

In the pop-up window that appears, the BSS user is requested to enter the six-digit verification code they received in their email. Of course, the email to which the verification code will be sent belongs to the user attempting to log in.
For extra security and historical purposes, at this stage, the email of the BSS user attempting to log in is recorded in the path BSS Setup > Administration > Personal Setup > Profile.

Inside the verification pop-up window, the BSS user can witness the Verification code field in which the 6-digit verification code that was dispatched to their email address must be filled in. The code is visible, and the BSS user can see it when they enter it. The field cannot accept more than 6 characters and only accepts numbers.

There are two main scenarios concerning the Verification code field:

  • Valid Verification Code: When the active verification code is inserted into the verification field, and the Verify and Log In button is clicked, then the BSS user is successfully logged in and is redirected to the BSS Home Page.

  • Invalid Verification Code: In this scenario, three reasons can invalidate the verification process and are analyzed below.:

    • When the BSS user leaves the Verification code field blank and clicks Verify and Log In, the following error message appears:

    • In case an incorrect code is entered from the one sent to the email notification, by clicking the Verify and Log In button, the following message appears:

    • When the BSS user attempts to enter the verification code after the code has expired, which occurs after 5 minutes**, or after 10 attempts → the following message is displayed:

Rw ui textbox macro
typeinfo

** Verification Code Validity Period

To ensure security, verification codes have a limited validity period of, five minutes, after which they expire. If the email verification code expires, users must request a new code by selecting the Resend button. Also, after attempting to provide the same verification code for more than 10 times, the last generated verification code becomes expired and the user must request a new code by selecting the Resend button.

For cases such as the aforementioned one where the verification code is expired, there is the user can interact with an option called Resend in the verification pop-up window that the user can interact with. This button is typically used when a BSS user needs to resend the verification email that was previously sent, but either it has expired or was not received in time. Please note that to prevent misuse, each verification code is single-use only, meaning that the code becomes invalidated after it has been used, the code becomes invalidated. Lastly, when the BSS user clicks the Resend button, an informative message appears that informs the user that a new email has been dispatched.

Verification Email from the 2FA Mechanism


After the user fills in their BSS local credentials to log in to the BSS platform, a system-generated email notification is dispatched to the user's predefined email address containing the 2FA verification code.

Info

This Notifications is located in BSS Setup > Administration > Notifications > CustomerNotifications > User Directory > Cloud Platform 2FA Verification Code

The following email notification template is used:

Concerning the To: {#Directory.Mail#Email#} email field, when the user leaves this field empty, it is configured to automatically send the notification to the account associated {#Directory.Mail#Email#}. Otherwise, if a merge field for the recipient is set to the To: field, then the merge field takes precedence.

Of course, BSS administrators can customize, as previously mentioned, the email body to fit their business requirements.

The final 2FA notification email that is dispatched to the email address of the BSS user looks like the following example:

Table of Contents


Table of Contents
maxLevel6
minLevel1
include
outlinefalse
indent
excludeTable of Contents
typelist
printablefalse
class

🔹 For the Two Factor Authentication (2FA) in the Storefront, please check the Local Login in Storefront With Two Factor Authentication (2FA) page!