Two-Factor Authentication
Sana Commerce Cloud supports two-factor authentication (2FA) with a one-time password (OTP) for internal Sana Admin users. This article is about two-factor authentication for internal Sana Admin users only. If you use external users who log in to Sana Admin with their Microsoft account using single sign-on, you can enable Microsoft Entra multifactor authentication.
Two-factor authentication (2FA) is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user enters their username and password. Then, the user is prompted to provide another piece of information, in our case it is a one-time password generated in the authentication app on the user’s mobile device. This provides a higher level of security than authentication methods based on single-factor authentication using only username and password.
Enable Two-Factor Authentication
To enable two-factor authentication for internal Sana Admin users:
Step 1: Log in to Sana Admin and go to: Setup > Security.
Step 2: In the Admin security settings, enable the option Two-factor authentication with external app.
If you have multiple webstores, this setting is global for all your webstores. This means that enabling / disabling this setting for one webstore will result in its enabling / disabling for all your webstores.
Connect Your Sana Admin Account to the Authenticator App
Any internal Sana Admin user can enable two-factor authentication for their account. You cannot enable two-factor authentication for other accounts. To enable two-factor authentication, a user must be logged in to Sana Admin.
To enable two-factor authentication for your Sana Admin account, you must have an authenticator app on your mobile device, for example, Google Authenticator or Microsoft Authenticator. Use only trusted applications.
Step 1: Log in to Sana Admin and at the top click account and then Edit profile.
Step 2: If two-factor authentication is enabled, you should see the Two-factor authentication section on your profile page. Click Add two-factor application.
The pop-up window will open where you should see the QR code.
Step 3: Open the authenticator app on your mobile device and scan the QR code. If for some reason you cannot scan the QR code, you can also enter the secret key manually from the message above the QR code. After scanning the QR code or entering the secret key in the authenticator app, click Next in the Add two-factor application pop-up window in Sana Admin.
Step 4: You will be prompted to enter the temporary secret code generated in the authenticator app on your mobile device. Enter the one-time password and click Finish.
Step 5: After clicking Finish, you will see the recovery codes. Copy the recovery codes and store them in a safe place.
For more information, see Recovery Codes.
If everything is fine, the two-factor authentication status on your profile page must be Enabled.
Next time you log in to Sana Admin, you must first enter your credentials and then you will be prompted to enter a verification code (one-time password) from the authenticator app.
Recovery Codes
A recovery code is needed to log in to Sana Admin if you lose access to your authenticator application, for example, if you lose your phone. It provides an alternative method to verify your two-factor authentication if you cannot access your authenticator app.
When you connect your Sana Admin account to the authenticator app, you get 8 recovery codes. Each code can be used once. Copy the recovery codes and store them in a safe place.
You can use one of these recovery codes when logging in to Sana Admin, and if you cannot access your authenticator app for some reason.
Every time you use a recovery code, you see a warning about how many codes you have left and that if you cannot access your authenticator app, you need to reconfigure two-factor authentication for your account.
Once you have used 5 recovery codes and only have 3 left, there will be a warning on your profile page that you should generate new recovery codes to not lose access to your account.
On your profile page, you can generate new recovery codes at any time, no matter how many you have already used. But do not forget to copy new recovery codes and keep them in a safe place.
Good to Know
- The verification code (one-time password) can be used only once. The next time you log in to Sana Admin, a new code will be generated in the authenticator app.
- Two-factor authentication is used to log in to Sana Admin and to change sensitive user data such as e-mail and password.
- It is protected against the brute-force attacks.