Sana Admin Access: Device Verification
Using the device verification on the login page of Sana Admin is crucial because it adds an essential layer of security, also serves as a critical safeguard against unauthorized access, and cyber threats. Sana Admin contains critical, sensitive information, and unauthorized access to Sana Admin could lead to significant breaches and financial losses. Device verification ensures that only users with known devices are allowed to access Sana Admin, preventing unauthorized access to Sana Admin. This security measure enhances overall security and reduces the likelihood of cyberattacks or data breaches.
Sana Commerce Cloud allows to verify devices of users who log in to Sana Admin. Device verification is based on specific client information. If this information changes, for instance, due to software updates, Sana Commerce Cloud may identify this device as new again.
This feature does not work for Sana Admin users with two-factor authentication enabled.
Enable Device Verification
To enable device verification as an extra layer of security, in Sana Admin click: Setup > Security. On the Login & Passwords tab, see the Login with unknown device setting. The available options are:
-
Notifications disabled
-
Notification for login with unknown device
-
Verification for login with unknown device
Notifications Disabled
If you select the Notifications disabled option, all previously verified devices for all Sana Admin users will be removed, and all devices will be treated as unknown.
In case you have several webstores, selecting the Notifications disabled option on one webstore will lead to removing all verified devices for all Sana Admin users on all webstores. On the webstores where this option is selected, the device verification process will start over again.
Notify Users When They Log in to Sana Admin from an Unknown Device
To notify users about logging in to Sana Admin from an unknown device, select the Notification for login with unknown device option. If this option is selected, an e-mail is sent to Sana Admin users notifying them that the login attempt was made from an unknown device. A user can still log in to Sana Admin without confirming a device. If this is a suspicious login attempt, a user can reset the password using the link in an e-mail. The link is available for 24 hours. When a user resets the password using the link, an unknown device will be removed.
E-mail template: Unknown device/browser detected
Request Device Confirmation When Logging In to Sana Admin from an Unknown Device
You can add an extra level of security, using the Verification for login with unknown device option. By selecting the Verification of unknown device upon login option, you force the Sana Admin users to confirm their devices. It means that when a login attempt is made from an unknown device, users can log in to Sana Admin only after confirming a device.
In this case, an e-mail is sent to users notifying them that the login attempt was made from an unknown device and to log in to Sana Admin the user must confirm the device by clicking on the link in the email. Clicking on the link will confirm the device and the user will be automatically logged in to Sana Admin. If this is a suspicious login attempt the user can reset the password. The link is available for 24 hours. When the user resets the password using the link, an unknown device will be removed.
If a user’s initial verification link expires before they can verify their device, Sana Commerce Cloud will automatically send a new verification link by e-mail the next time the user attempts to log in to Sana Admin.
E-mail template: A sign-in attempt from new device
Known Devices
All verified devices of the Sana Admin users are shown in their profiles on the Login & security tab. In Sana Admin click: System > User management. Open the user details.
A user can remove the verified devices. When a device is removed, the user’s login session on this device will be terminated. A user will have to log in to Sana Admin again.
The verified devices can be sorted by the last login date.
A user with the System Administrator role can see the verified devices of other users. Users with other roles can see only their own verified devices.
