TABLE OF CONTENTS
- Introduction
- Enabling Two Factor Authentication for the Admin Console
- Admin Console Login
- Enabling Two Factor Authentication for a Storefront
- Storefront Login
- Resending a new code
- SMTP Settings
Introduction
The Two-Factor Authentication (2FA) for both the Admin Console and the Storefront in Znode adds an additional layer of security beyond the traditional username and password. With 2FA, users are required to verify their identity using the one-time password (OTP) sent via email before gaining access.
The primary purpose of enabling 2FA in Znode is to enhance account and data security by ensuring that only authorized users can access the platform. For the Admin Console, it helps prevent unauthorized administrative actions such as configuration changes, data manipulation, or user management by compromised accounts. For the Storefront, it safeguards customer accounts, personal information, and order details from unauthorized access.
By implementing 2FA, Znode aligns with modern security standards and compliance requirements, minimizes potential security breaches due to weak or stolen passwords, and strengthens overall platform trust and integrity for both merchants and end users.
Enabling Two Factor Authentication for the Admin Console
Navigate To: System Settings > Global Settings > Two Factor Authentication Settings
| Settings | Description |
| Enable Two-Factor Authentication (Admin Console) | Selecting this field as 'Yes' enables two-factor authentication for the admin console. |
| Two Factor Authentication Code Timeout - In Seconds | In this field, the administrator can specify the time (in seconds) for which an authentication code expires. |
| Two Factor Authentication Session Timeout - In Seconds | In this field, the administrator can define how long a two-factor authentication session remains valid before re-authentication is required. |
| Limit on Consecutive Failed Attempts (2FA) | This field defines the maximum number of consecutive failed 2FA attempts permitted before the account is temporarily locked for the time configured below. |
| Temporary Lockout Period (2FA) - In Minutes | In this field, the administrator can define the duration (in minutes) for which the account will be locked after exceeding the maximum number of failed 2FA attempts. |
By configuring the above fields and entering the required values, Two-Factor Authentication (2FA) can be enabled for the Admin Console.
Admin Console Login
- Once this setting is enabled, administrators are required to complete the 2FA verification process during login.
- Once the administrator enters their ID and password, the system generates a one-time verification code and sends it to the registered email address.
- The administrator is then prompted to enter the 6-digit verification code to proceed with the login.
- On the second screen, the registered email address is displayed in a masked format for security purposes.
- The number of allowed incorrect verification attempts is determined by the value configured in the “Limit on Consecutive Failed Attempts (2FA)” field.
- If the administrator exceeds the allowed number of failed attempts, the account will be temporarily locked for the duration specified in the “Temporary Lockout Period (2FA) – In Minutes” field.
- Upon entering the correct verification code, the administrator is successfully redirected to the Admin Dashboard. The verification code is randomly generated and consists of numeric characters only.
Enabling Two Factor Authentication for a Storefront
Navigate To: Stores> Manage Stores> Additional Attributes> Two Factor Authentication Settings tab
| Settings | Description |
| Enable Two-Factor Authentication (Admin Console) | Selecting this field as 'Yes' enables two-factor authentication for the admin console. |
| Two Factor Authentication Code Timeout - In Seconds | In this field, the administrator can specify the time (in seconds) for which an authentication code expires. |
| Two Factor Authentication Session Timeout - In Seconds | In this field, the administrator can define how long a two-factor authentication session remains valid before re-authentication is required. |
| Limit on Consecutive Failed Attempts (2FA) | This field defines the maximum number of consecutive failed 2FA attempts permitted before the account is temporarily locked for the time configured below. |
| Temporary Lockout Period (2FA) - In Minutes | In this field, the administrator can define the duration (in minutes) for which the account will be locked after exceeding the maximum number of failed 2FA attempts. |
By configuring the above fields and entering the required values, Two-Factor Authentication (2FA) can be enabled for the Storefront.
Storefront Login
- Once this setting is enabled, buyers are required to complete the 2FA verification process during login.
- Once the buyers enter their ID and password, the system generates a one-time verification code and sends it to the registered email address.
- The buyers are then prompted to enter the 6-digit verification code to proceed with the login.
- On the second screen, the registered email address is displayed in a masked format for security purposes.
- The number of allowed incorrect verification attempts is determined by the value configured in the “Limit on Consecutive Failed Attempts (2FA)” field.
- If a buyer exceeds the allowed number of failed attempts, the account will be temporarily locked for the duration specified in the “Temporary Lockout Period (2FA) – In Minutes” field.
- Upon entering the correct verification code, the buyer successfully redirects to the landing page of the storefront.
- The verification code is randomly generated and consists of numeric characters only.
Resending a new code
- Conditional Display of "Resend Code" Option:
- The "Resend Code" link or button is not visible immediately upon reaching the two-factor authentication screen.
- It becomes visible only after the user either attempts to enter the initial code or indicates that the verification email was not received.
- Cooldown Period Between Requests:
- A minimum cooldown period (e.g., 30 seconds) between each resend request.
- During this period, the "Resend Code" button is disabled or hidden, and optionally displays a countdown timer to indicate when the next request can be made.
- Code Invalidation Policy:
- When a new verification code is requested, it immediately invalidates all previously issued codes.
- Only the most recently generated code should be accepted for validation, ensuring that a user can’t log in using an older or expired code.
- Session Activity Check
- When the user is idle after login, the system periodically verifies whether the user's session is still active.
- On every new login attempt, the application checks the value of the configuration flag Enable Two-Factor Authentication to determine if the user must complete the 2FA process as part of the login flow.
- "Remember Me" Feature
- A checkbox labeled "Remember Me" is available during the 2FA step.
When selected, the current device is trusted and exempted from repeated 2FA prompts for future logins, based on the number of days defined in the configuration parameter: 2FA Validity Period
After the configured period expires, the user will be prompted to complete 2FA again on that device.
- A checkbox labeled "Remember Me" is available during the 2FA step.
- Email Notifications for 2FA
- Users receive specific email notifications during the 2FA process:
- First-time Login Verification: Triggered when a verification code is sent for the first time during login.
- Email Template: 2FAVerificationCode - #StoreCode#
- Subject Line: Your Verification Code
- Description: It is used to send a verification code when attempting to log in.
- Resend Code Request: Triggered when a user requests a new verification code after the initial one.
- Email Template: 2FANewVerificationCode - #StoreCode#
- Subject Line: Your New Verification Code
- Description: It is used to resend a verification code
- First-time Login Verification: Triggered when a verification code is sent for the first time during login.
- In case of invalid SMTP details, the email notifications will not be triggered.
- Users receive specific email notifications during the 2FA process:
- Forgot Password
- After a user completes the password reset process, the Password reset is successful.
- The user is then redirected to the Login Page.
- Upon logging in with the new password, the user is required to complete Two-Factor Authentication (2FA) before being granted access to the Storefront.
SMTP Settings
- When the administrator enables the “Enable Two-Factor Authentication” setting for the admin console or Storefront, SMTP configurations become mandatory for the setup.
- To configure the SMTP settings, navigate to: Stores> Manage Stores> SMTP tab
| Settings | Description |
| SMTP Port | The administrator can enter the port number for the SMTP server in this field. Common SMTP ports include 25 (default), 587 (secure), and 465 (SSL). |
| SMTP Server | The administrator can enter the domain name or IP address of the SMTP server. This server will be responsible for sending emails. |
| SMTP Server User Name | The administrator can enter the username associated with your SMTP server. This is typically the email address or an application-specific username provided by the email service provider |
| SMTP Server Password | The administrator can set the password. |
| From Display Name | The administrator can enter the display name. |
| From Email Address | The administrator can enter the email address. |
| Enable SSL for SMTP | Check this box to enable SSL encrypted for secure email transmission. |
| Test Email Settings | The administrator can test by sending an email using this button. |