Multi-factor authentication (MFA) - also sometimes referred to as two-factor authentication (2FA) - uses two independent authentication factors, such as knowledge (password), possession (physical object) and inherence (biometric features), to verify a user’s identity. This increases security as multiple factors are required to grant access, reducing the risk of unauthorized access.
Before logging into your Xentral instance, multi-factor authentication requires that two different and independent forms of identification are presented, for example a one-time password (OTP) that is only valid for a single session or transaction. An app on a smartphone such as Google Authenticator can be used, to generate a password that is valid for a limited period of time.
You can use one of the widespread authentication apps Google Authenticator or Microsoft Authenticator.
Downloading an app:
-
Open the App Store (on iOS devices) or the Google Play Store (on Android devices).
-
Download and install Google Authenticator or Microsoft Authenticator.
Setting up multi-factor authentication during the next regular login:
-
Go to the login page of your Xentral instance.
-
Log in with your email and password or using your Google account.
-
When you log in for the first time, a QR code will be displayed. Scan this code with your authenticator app.
Optional: If a scan is not possible, you can request a code.
-
The app automatically adds the account and starts generating one-time passwords.
-
Enter the one-time password from the app in the Xentral login to complete the login process.
Important
Make sure you securely store all recovery codes that are provided during the setup process. These codes are important in case you lose access to your device.
Proceed as follows to set up multi-factor authentication for all users of your Xentral instance.
-
Go to Settings > General settings > User management > Multi-Factor Authentication.
-
Activate the option Multi-factor authentication enabled.
All users of your Xentral are now required to use multi-factor authentication when logging in.
-
Once the option is activated, admins may exempt individual users of their instance from the MFA requirement. This may be necessary, for example, for shared Xentral accounts used by warehouse staff for which a multi-factor authentication requirement would be an unnecessary burden.
Caution
Please note that setting exceptions for individual users can pose a potential risk to data protection and privacy. We therefore recommend restricting the scope of permissions for these exempted users via user rights.
-
Administrators can also reset the multi-factor authentication settings for individual users. This is necessary, for example, if the user has lost the device used for multi-factor authentication or if a new device was purchased. You can find detailed instructions in the chapter Unlock multi-factor authentication (lost device).
If an employee loses the device they normally use for multi-factor authentication, you as an admin can perform the following steps to enable the employee’s authentication again.
-
Log in to Xentral as an administrator.
-
Open the menu Basic settings > User management > Multi-factor authentication.
-
Find the desired user in the list.
-
Click Reset in the Actions column.
-
Inform the user that they must now log in again using their authenticator app and the required recovery codes.
Important
Regularly remind all system users that they must keep the recovery codes for their MFA app safe, as they are needed for exactly these cases!