Two-Factor Authentication

Sana Commerce Cloud supports two-factor authentication (2FA) with a one-time password (OTP) for webstore customers.

Two-factor authentication (2FA) is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user enters their username and password. Then, the user is prompted to provide another piece of information, in our case it is a one-time password generated in the authentication app on the user’s mobile device. This provides a higher level of security than authentication methods based on single-factor authentication using only username and password.

Enable Two-Factor Authentication

To enable two-factor authentication for webstore customers:

Step 1: Log in to Sana Admin and go to: Setup > Security.

Step 2: On the Passwords tab, in the Webstore security settings, enable the option Two-factor authentication with external app.

Connecting Shop Account to the Authenticator App

Any webstore customer can enable two-factor authentication for their account.

To enable two-factor authentication, a webstore customer must have an authenticator app on their mobile device, for example, Google Authenticator or Microsoft Authenticator. Use only trusted applications.

Step 1: Webstore customers can enable two-factor authentication in the webstore on the Login details page.

On the Login details page, customers can also disable two-factor authentication if it is enabled.

Step 2: When the customer enables two-factor authentication, the Account security page will open where they should see the QR code.

Step 3: The customer must open the authenticator app on their mobile device and scan the QR code. If for some reason customers cannot scan the QR code, they can also enter the secret key manually from the message above the QR code. After scanning the QR code or entering the secret key in the authenticator app, click Continue.

Step 4: The customer will be prompted to enter the temporary security code generated in the authenticator app on their mobile device. The customer must enter the one-time password and click Continue.

Step 5: You will see the recovery codes. Copy the recovery codes and store them in a safe place. Click Finish.

For more information, see Recovery Codes.

If everything is fine, the two-factor authentication status on the Login details page must be Enabled.

Next time when customers with the enabled two-factor authentication log in to the webstore, they must first enter their credentials and then they will be prompted to enter a verification code (one-time password) from the authenticator app.

Recovery Codes

A recovery code is needed to log in to the Sana webstore if customers lose access to their authenticator application, for example, if they lose their phones. It provides an alternative method to verify customers’ two-factor authentication if they cannot access their authenticator app.

When customers connect their webstore accounts to the authenticator app, they get 8 recovery codes. Each code can be used once. Customers must copy the recovery codes and store them in a safe place.

Customers can use one of the recovery codes when logging in to the Sana webstore, and if they cannot access their authenticator app for some reason.

Every time customers use a recovery code, they see a warning about how many codes they have left. Also, if they cannot access their authenticator app, they need to reconfigure two-factor authentication for their accounts.

Once customers have used 5 recovery codes and only have 3 left, there will be a warning on their Login details page that they should generate new recovery codes to not lose access to their accounts.

On the Login details page, customers can generate new recovery codes at any time, no matter how many they have already used. Every time customers generate new recovery codes, they must copy them and keep them in a safe place.

System Pages

There are several system pages that are used in the Sana webstore for two-factor authentication, for example, the page to set up two-factor authentication or the one where customers enter the verification code.

You can find them in Sana Admin by searching for "two-factor authentication" at the following location: Web pages > System pages.

There are nine system pages:

  • Two-factor authentication general confirmation
  • Two-factor authentication login confirmation
  • Two-factor authentication login confirmation (closed store)
  • Two-factor authentication login with recovery code
  • Two-factor authentication login with recovery code (closed store)
  • Two-factor authentication recovery codes
  • Two-factor authentication setup
  • Two-factor authentication setup confirmation
  • Two-factor authentication spent recovery code alert

The pages are fully editable, which means you can change their content.

You can change the default texts, position the content elements differently, or add other content. But don't remove content elements that are specific to a particular feature, such as fields, buttons, etc., as they can be necessary for the functionality to work correctly. If you remove something by mistake, you can always revert the page to its default state.

Good to Know

  • The verification code (one-time password) can be used only once. The next time customers log in to the webstore, a new code will be generated in the authenticator app.
  • Two-factor authentication is used to log in to the webstore and to change sensitive user data such as e-mail and password.
  • It is protected against the brute-force attacks.