Multifactor Authentication (MFA) for Admin Users

Owned by Sarah Holst
Last updated: Jul 05, 2022
5 min read

Overview

Multifactor Authentication (MFA) is an easy-to-implement, simple-to-manage tool that reduces the likelihood that an Aspenware Admin user’s credentials can be co-opted by a “bad actor”. Multifactor Authentication requires that to access the admin functions in Aspenware Commerce, the admin user must supply a secondary factor after the primary factor (password) to prove identity.

When you deploy Version 2.28 or greater, it will be integral to the software. We suggest that in the week or days prior to installation, you advise your admin-level users to download an authenticator app to their mobile device.

NOTE: There are many authenticator apps available. Admin staff could use Authy by Twilio, Google Authenticator, Microsoft Authenticator or any other authenticator that they have already installed.

Why is this needed?

Your staff is human. While they are your greatest asset, they can also be the weakness in your security perimeter.

FACT: 81% of data breaches involve weak or stolen credentials

FACT: 73% of passwords are duplicates.

FACT: 17% of passwords are literally “123456”.

FACT: 91% of phishing attacks target credentials.

To prevent phishing attacks and meet a growing list of compliance requirements (PCI, HIPAA, NYDFS, NIST, and more), you need an authentication solution.

Activation

The first time a logged-in admin user clicks on the ADMINISTRATION button an email is automatically generated, which includes the code that must be entered in the SetUp MFA Security window below. Upon entering the code, and clicking ENABLE MFA, a QR Code will appear on the computer screen, which the user can capture to set up access in any Authenticator App.

This auto-generated email includes the 6-digit code.

Once the code is entered, the following screen with a QR code will appear.

Staff members can then use their cell phones to scan the QR code into any authenticator app to complete the setup.

 

Access

After Multifactor Authentication (MFA) has been activated, each time an admin level user attempts to access administrative functions, the user will be asked to authenticate.

MFA will be triggered by clicking on the ADMINISTRATION button in the MY ACCOUNT menu, or by attempting to access any URL that contains /admin

(e,g. https://yourdomain.com/admin).

 

The user is presented with this window, and has three options in how they choose to respond:

 

 

  1. Using their authenticator app, staff can enter a valid code, and gain access to the admin functions each time they sign in.

  2. If staff members prefer not to use an authenticator app, they can click to receive a verification code by email, enter that code, and gain access to the admin functions. The following message will appear in the upper right-hand corner of the screen. Note that the email can take a moment or two to appear depending on how the email server is configured.

3. If a staff member obtains a new phone and needs set up MFA on a new device, they can reconfigure MFA by clicking “Click here to reset.”

Error Messages

By intent, codes expire quickly. If you are not entering the code supplied in the most current email, or if you have waited longer than 10 minutes from the time the email was generated to enter the code, you will see this error message. Generate a new code in your Authenticator, or click on one of the links in the window to gain access.

 

 

MFA Session Expiration

Resorts have the option of customizing the length of a valid MFA session. The default setting is 720 minutes/12 hours. Resorts should consider that if a session expires and the work has not been saved, it will be lost. For that reason, don’t make the validity period too short. Check with your system admins, and set a session length that reflects their typical work style.

Resorts wishing to modify the session length should reach out to their Aspenware Service Rep to complete this modification.

 

Frequently Asked Questions

Q: Can I turn MFA off?

A: No, MFA is integral to Aspenware Commerce with Version 2.28 and later. We designed it so it is minimally intrusive, and never affects customer logins.

Q: What do I have to do before I launch MFA?

A: Nothing. All of your current “admin” level users will be promoted to configure MFA the first time they log in. It will be most convenient if they have already selected and downloaded an authenticator app for use on their mobile device, but it is not required.

Q: Do I have to have a mobile phone to use this?

A: No. Using MFA with an Authenticator App is the easiest way to gain access, but in cases where staff members don't have a mobile device, locations that don’t have reliable cellular service, or resorts don’t allow staff to use mobile devices, users can use email to receive valid access tokens.

Q: Are there any Best Practices we should consider?

A: Yes, please consider the following best practices.

  • First and foremost, NEVER REUSE A PASSWORD. Each password for each different site and app must be unique. If you use the same password for your email account that you use to log into Aspenware Commerce, and your credentials are compromised, you double the potential damage!

  • Passwords should be complex and include a combination of capital and lower case letters, numerals, and special characters. Use a password generator to create a secure password. Use a password manager such as Lastpass to manage complex passwords.

  • Update your passwords regularly, and immediately if you suspect they have been compromised.

  • Limit admin level users to only email addresses from your domain, that you have assigned to your employee.  Do not assign admin privileges to user names/email addresses that are publicly accessible, like mailinator. Secure email addresses are critical to making your MFA implementation successful.

Q: I have seasonal employees that have configured MFA. How do I limit their access off-season or after they leave?

A: In Nop admin, in their customer details, remove the “admin”, “Administrator”, etc. roles. See the Configuration: Customer Roles documentation for information on how to do this. This will remove their ability to access thise portions of your site. If they return the following season, reapply those roles, and their existing MFA will reactivate. They can also reset if they have a new phone or email address.