Back Office Multi-factor Authorization MFA

Back Office Multi-factor Authorization MFA

This feature was developed as an additional security measure for back office access. It consists of an additional screen after the usual login page where you will be asked to provide a One Time Password (OTP).

The idea is for the MFA to be adopted gradually and for it to be optional to begin with, still allowing the user to input a One Time Password upon login.


If the MFA is set to Mandatory it will also try to log you out after 2 hours of inactivity(*), but first offer you the option to “save” your session from being timed out via a confirmation popup.

(*) - we currently count activity every time a script loads so if theoretically you are working on one program, no page refreshes or anything, for 2 hours then you will see the timeout confirmation popup.

Setup

In system option we have MFA Settings. Is the status is off no one can use MFA or signup for MFA

File Maintenance > Sys Config > MFA


A. Status: On or Off   establishes whether the MFA is active or not

B. Mandatory or Optional (comes into play only if MFA is ON):

  • Mandatory

    • upon login will require OTP with the option to “Signup for MFA” presented

    • the same will go for any other back office user at this point

  • Optional

    • upon login will request OTP with the option to “Signup for MFA” presented

    • a ‘Skip’ button will be available on the OTP screen so you actually don’t need to signup or provide an OTP

    • The idea is to be able to get accustomed to the MFA, but not enforced

C. Signup for MFA   if you want to signup for MFA, same process as the signup part of the login process

Journey

Usual login screen


One Time Password being requested.


Optional mode OTP



Mandatory Mode OTP (No option to 'Skip')


User who as previously signed up for MFA

Will not be given option to Signup for MFA for security reasons; only an Admin will now be able to reset their MFA status so they can sign up again if necessary.

(Skip button is there just for Optional mode)



Signup for MFA

Popup will display at which point you need to scan the QR code with one of the supported Authenticator apps on your phone.



Lost your Authenticator?


The Reset MFA can be performed by Admins (status 9) via the File Maintenance > Employee maintenance > Edit program




Session expiry

If the MFA is set to Mandatory the system will attempt to log you out after 2 hours of inactivity (*).

(*) - we currently count activity every time a script loads so if theoretically you are working on one program, no page refreshes or anything, for 2 hours then you will see the timeout confirmation popup.

A few minutes before your session expiry you should see a popup similar to this one which will offer the option to take some action in order to prevent session expiry.

If the user fails to take any action the session will expire redirecting to the back office login screen.


    • Related Articles

    • Back In Stock Notification

      There is an option to allow customers to receive email notification if out of stock items come back into stock. This option will work if there are sizes out of stock and if you have the option to show out of stock items on the website. To set this ...
    • Webinar: Development Roadmap 2024 Q1

      https://youtu.be/GA2uhOhrSh0 Table of Contents This Webinar is going to cover the following topics. System Upgrades Multi Factor Authentication Amazon Pay V2 New Carrier Integrations Basket Recovery Link Backoffice CSV Import Store Replenishment ...
    • Release Notes v3.39

      We are pleased to share the latest updates to the Jonas Sports Solutions. This release focuses on enhancing functionality, improving performance, and resolving key issues to provide a more robust and user-friendly experience. New Features & Modules ...
    • Countdown Clock For Mobile

      The countdown clock feature is presently limited to desktop use. To propose its inclusion in a future Back Office update, please raise a request through the Ideas Forum.
    • Customer Email Address Not Updating on Account

      A customer has updated their email address on their Single Sign On account (Ticket Master, Sports Alliance etc) and it hasn't updated in back office. The back office does not store customer account information; it only contains the details required ...