Difference between revisions of "X-Payments:Two-factor authentication"

From X-Payments Help
Jump to: navigation, search
m (Configuring X-Payments to skip the 2nd step of user authentication)
m
Line 16: Line 16:
  
 
The authentication method you choose before your first login to X-Payments will be set as your preferred method for user verification. If you wish, later you will be able to [[#AltAuthMethod | set up an additional/alternative method]] of user authentication and, if necessary, [[#ChangePreferredAuthMethod |change your preferred method]].
 
The authentication method you choose before your first login to X-Payments will be set as your preferred method for user verification. If you wish, later you will be able to [[#AltAuthMethod | set up an additional/alternative method]] of user authentication and, if necessary, [[#ChangePreferredAuthMethod |change your preferred method]].
 +
 +
After you configure a method for the second step of user authentication, you will be required to enter a one-time password provided to you via your preferred method of authentication every time you log in to X-Payments, unless you configure X-Payments to [[#SkipAuthentication | skip this step for two weeks]] on you device.
  
 
After setting up your primary user authentication method, we strongly recommend that you create a list of backup codes that will allow you access to X-Payments if you lose the phone associated with your two-factor authentication settings, or if the authentication method you normally use becomes unavailable for some reason:
 
After setting up your primary user authentication method, we strongly recommend that you create a list of backup codes that will allow you access to X-Payments if you lose the phone associated with your two-factor authentication settings, or if the authentication method you normally use becomes unavailable for some reason:
Line 46: Line 48:
  
 
<div id="SmsAuthentication"></div>
 
<div id="SmsAuthentication"></div>
 
 
==Setting up user authentication with SMS/text messages==
 
==Setting up user authentication with SMS/text messages==
 
This authentication method is based on using one-time passwords received via SMS/text messages. The service is provided by Twilio.
 
This authentication method is based on using one-time passwords received via SMS/text messages. The service is provided by Twilio.
Line 70: Line 71:
  
 
<div id="BackupCodesAuthentication"></div>
 
<div id="BackupCodesAuthentication"></div>
 
 
==Setting up user authentication with backup codes==
 
==Setting up user authentication with backup codes==
 
We by all means recommend that you set up more than one method to verify your user identity. At the very least, you should create and save a list of backup codes. These codes will help you to regain access to the X-Payments back end if you lose the phone associated with your two-factor authentication settings, or if the authentication method you normally use becomes unavailable for some reason.
 
We by all means recommend that you set up more than one method to verify your user identity. At the very least, you should create and save a list of backup codes. These codes will help you to regain access to the X-Payments back end if you lose the phone associated with your two-factor authentication settings, or if the authentication method you normally use becomes unavailable for some reason.
Line 83: Line 83:
  
 
<div id="AltAuthMethod"></div>
 
<div id="AltAuthMethod"></div>
 
 
==Setting up an additional/alternative method of user authentication==
 
==Setting up an additional/alternative method of user authentication==
 
To be able to log in to X-Payments with 2-step user authentication, you are required to set up at least one user authentication method - Google Authenticator or SMS/text messages. However, choosing one method does not mean you may not use the other one. It is possible to configure your X-Payments so you can use authentication via Google Authenticator or authentication via SMS/text messages based on what is more convenient to you at the moment. To do so, after configuring your primary authentication method (for example, Google Authenticator), you should configure the other authentication method (in our case, authentication with SMS/text messages via Twilio) as an additional method. To access the configuration page for your additional authentication method, use the "<u>configure</u>" link on your profile details page ('''Profile''' > '''View details'''):
 
To be able to log in to X-Payments with 2-step user authentication, you are required to set up at least one user authentication method - Google Authenticator or SMS/text messages. However, choosing one method does not mean you may not use the other one. It is possible to configure your X-Payments so you can use authentication via Google Authenticator or authentication via SMS/text messages based on what is more convenient to you at the moment. To do so, after configuring your primary authentication method (for example, Google Authenticator), you should configure the other authentication method (in our case, authentication with SMS/text messages via Twilio) as an additional method. To access the configuration page for your additional authentication method, use the "<u>configure</u>" link on your profile details page ('''Profile''' > '''View details'''):
Line 90: Line 89:
  
 
<div id="ChangePreferredAuthMethod"></div>
 
<div id="ChangePreferredAuthMethod"></div>
 
 
==Changing your preferred user authentication method==
 
==Changing your preferred user authentication method==
 
If you need to change your preferred user authentication method (for example, if you want to switch from Google Authenticator, which is your primary and preferred auth method, to SMS/text messages, which is your additional auth method), do the following:
 
If you need to change your preferred user authentication method (for example, if you want to switch from Google Authenticator, which is your primary and preferred auth method, to SMS/text messages, which is your additional auth method), do the following:
Line 97: Line 95:
 
Note that the button '''Set this method as preferable''' does not appear on the page if the method is already your preferred one.
 
Note that the button '''Set this method as preferable''' does not appear on the page if the method is already your preferred one.
  
 +
<div id="SkipAuthentication"></div>
 
==Configuring X-Payments to skip the 2nd step of user authentication==
 
==Configuring X-Payments to skip the 2nd step of user authentication==
 
If you log in to X-Payments most of the time from the same device, you may want X-Payments to remember you temporarily on that device and disable the 2nd step of user authentication for you for two weeks. This can be easily achieved by enabling the option "Skip this for two weeks" which you can see at the second step of user authentication below the field for entering one-time passwords for user authentication:<br />[[File:xp3_2step_ga_skip.png|border]]<br />After you log in for the first time with this option activated, X-Payments remembers your device and stops asking you for one-time passwords when you use that device to log in.
 
If you log in to X-Payments most of the time from the same device, you may want X-Payments to remember you temporarily on that device and disable the 2nd step of user authentication for you for two weeks. This can be easily achieved by enabling the option "Skip this for two weeks" which you can see at the second step of user authentication below the field for entering one-time passwords for user authentication:<br />[[File:xp3_2step_ga_skip.png|border]]<br />After you log in for the first time with this option activated, X-Payments remembers your device and stops asking you for one-time passwords when you use that device to log in.
 
You can view the list of devices "remembered" by your X-Payments in the section "Devices data for 2nd step authentication":<br />[[File:xp3_2step_ga_skip1.png|border]]<br />To access the list of devices for which the 2nd step of user authentication is skipped, click on the section name (which is a link); the list of devices will be expanded below:<br />[[File:xp3_2step_ga_skip2.png|border]]<br />You can clear the list at any time by clicking the '''Clear device data''' button:<br />[[File:xp3_2step_ga_skip3.png|border]]<br />After you clear the list, X-Payments will use full-featured two-step authentication for you on all devices again.
 
You can view the list of devices "remembered" by your X-Payments in the section "Devices data for 2nd step authentication":<br />[[File:xp3_2step_ga_skip1.png|border]]<br />To access the list of devices for which the 2nd step of user authentication is skipped, click on the section name (which is a link); the list of devices will be expanded below:<br />[[File:xp3_2step_ga_skip2.png|border]]<br />You can clear the list at any time by clicking the '''Clear device data''' button:<br />[[File:xp3_2step_ga_skip3.png|border]]<br />After you clear the list, X-Payments will use full-featured two-step authentication for you on all devices again.

Revision as of 20:24, 10 March 2016


Starting with X-Payments version 3.0, we have changed the system of user authentication in X-Payments.

In the previous versions of X-Payments, we already used an authentication method that depended on more than one "factor": to access the X-Payments back end, a user had to prove their identity by presenting two separate pieces of evidence - 1) a login and a password; 2) a PIN code. In X-Payments version 3.0, user authentication is still based on the two-factor model, but we have provided more options regarding the second component required for user identification. Instead of PIN codes, X-Payments now provides three methods which can be used to verify a user's identity after authenticating them via a login and a password:

  • authentication with the Google Authenticator application;
  • authentication via SMS/text messages (Twilio integration);
  • authentication via backup codes generated by X-Payments.

The authentication methods based on using the Google Authenticator app and SMS/text messages are primary methods; they can be used independently or alongside one another. Authentication with backup codes is a complementary method; it can be used as a fallback user authentication method if your primary method is unavailable for some reason.

So, if you have installed the latest version of X-Payments, or have upgraded to X-Payments version 3.0 (or later), the first time you will attempt to log in to X-Payments - right after entering your login and password - you will be required to choose a method for the 2nd step of user authentication that you would like to use:

Xp3 2step choose method.png

The available options here are user authentication with the Google Authenticator app and user authentication with SMS/text messages. To continue with the setup of the chosen method, click the Continue button. You will be directed to the method configuration page. To set up the chosen method for use with your X-Payments, follow the instructions below:

The authentication method you choose before your first login to X-Payments will be set as your preferred method for user verification. If you wish, later you will be able to set up an additional/alternative method of user authentication and, if necessary, change your preferred method.

After you configure a method for the second step of user authentication, you will be required to enter a one-time password provided to you via your preferred method of authentication every time you log in to X-Payments, unless you configure X-Payments to skip this step for two weeks on you device.

After setting up your primary user authentication method, we strongly recommend that you create a list of backup codes that will allow you access to X-Payments if you lose the phone associated with your two-factor authentication settings, or if the authentication method you normally use becomes unavailable for some reason:

Setting up user authentication with the Google Authenticator app

This authentication method is based on using the Google Authenticator application which you install on your phone. The application is connected to your X-Payments installation, after which it can generate one-time passwords that serve as the second piece of evidence to prove your identity after you have entered your X-Payments login and password.

To set up user authentication via the Google Authenticator app, follow these steps:

  1. Install the Google Authenticator app on your phone/mobile device. The installation instructions are available here.
  2. In the X-Payments back end, go to the configuration page for the authentication method based on using Google Authenticator (2-step authentication with Google Authenticator).
    Xp3 2step ga method config.png
    This page opens automatically after you select Google Authenticator as your preferred user authentication method when you log in to X-Payments for the first time. Also, you can access this page at any time using the "Google Authenticator app configure" link on your profile details page (Profile > View details):
    Xp3 2step ga configure link.png
  3. Sync the time on the device where you have installed the Google Authenticator app with the time in X-Payments. Never mind the time zone difference; it is only the minutes and seconds that need to be synchronized. The current time in X-Payments is displayed right on the 2-step authentication with Google Authenticator page:
    Xp3 2step ga method config1.png
  4. Add your X-Payments account to the Google Authenticator App. To do so, scan the QR code on the right-hand side of the 2-step authentication with Google Authenticator page:
    Xp3 2step ga method config2.png
    Or use the Secret code displayed below the QR code to manually register your X-Payments account in the Google Authenticator app:
    Xp3 2step ga method config3.png
  5. To test the configuration, enter a one-time password from your Google Authenticator application on the 2-step authentication with Google Authenticator page and click "Check":
    Xp3 2step ga check.png
    Note that the lifetime of a one-time password is one minute, and the same code cannot be used more than once.

Provided that the password from the Google Authenticator has been entered correctly, you should see a popup message saying that the authentication method has been configured successfully:

Xp3 2step ga check success0.png

Now user authentication via the Google Authenticator app is enabled and configured:

Xp3 2step ga configured.png

At the second step of user authentication, you can now use one-time passwords generated by the Google Authenticator app:

Xp3 2step ga auth.png

Important: After setting up your preferred user authentication method, be sure to create and save a list of backup codes for access to X-Payments:

Later on, if you need to set up Google Authenticator on a different device, you will have to reconnect the app. Note that to complete the task you will be required to enter a one-time password from your currently connected Google Authenticator app (If you have authentication via SMS/text messages enabled as an additional method, you can also use a one-time password received via SMS/text message instead of the password from Google Authenticator - these passwords are the same and can be used interchangeably).

To re-connect the app:

  1. On the configuration page for the authentication method based on using Google Authenticator (2-step authentication with Google Authenticator), click the Re-connect the app button:
    Xp3 2step ga reconnect1.png
    A popup window will be displayed providing a form for you to enter a one-time password from your currently connected app:
    Xp3 2step ga reconnect2.png
    Type in the one-time password from Google Authenticator (or an SMS/text message) and click Enter. The popup window will be closed, and the method configuration page will show the note "The authentication method is not configured!":
    Xp3 2step ga reconnect3.png
  2. Scan the QR code or manually enter the Secret code to re-connect the app.

Setting up user authentication with SMS/text messages

This authentication method is based on using one-time passwords received via SMS/text messages. The service is provided by Twilio.

To set up user authentication via SMS/text messages, follow these steps:

  1. In the X-Payments back end, go to the configuration page for the user authentication method based on using SMS/text messages (SMS/Text message 2nd step verification).
    Xc3 2step twilio config.png
    This page opens automatically after you select SMS/text messages as your preferred user authentication method when you log in to X-Payments for the first time. Also, you can access this page at any time using the "SMS/Text message configure" link on your profile details page (Profile > View details):
    Xp3 2step sms configure link.png
    Note that in X-Payments Hosted this page looks differently (The title on the page is Setup phone number for SMS notifications). If you are using X-Payments Hosted, skip over to Step 3 of this procedure.
  2. (This step is required only if using the downloadable edition of X-Payments; not needed for X-Payments Hosted): Set up an account with Twilio. To access the registration form on the Twilio website, use the Twilio account page link:
    Xp3 2step twilio link s.png
    Once your Twilio account is set up, enter your Twilio account details in the Twilio Services setup section of the auth method configuration page in X-Payments. Click Save to save the changes:
    Xc3 2step sms method config0.png
    Provided that your Twilio account details have been added correctly, a new section will be added on the SMS/Text message 2nd step verification page allowing you to set up a phone number for SMS notifications:
    Xc3 2step sms method config.png
  3. Use the Phone number field in the Setup phone number for SMS notifications section of the SMS/Text message 2nd step verification page to enter a phone number that you would like to use to receive SMS/text messages with one-time passwords for the second step of user authentication. Click Save to save the changes.
    Xc3 2step sms phone add1.png
    The phone number will be saved, and a new message - "The phone number is not verified" - will be displayed:
    Xc3 2step sms phone add2.png
  4. Verify the phone number you have added:
    Click the Get code button:
    Xc3 2step sms phone verify1.png
    Once you do it, an SMS/text message with a one-time password for user authentication will be sent to your phone, and the Get code button will be replaced with a blank field for verification.
    Xc3 2step sms phone verify2.png
    After you receive the SMS/text message with a one-time password, type the one-time password you have received into the blank field that has appeared on the page in the place of the Get code button, then click the Verify button. If the password you entered is correct, a success message will be displayed:
    Xc3 2step sms phone verify3.png

Now user authentication via SMS/text messages is enabled and configured:

Xc3 2step sms configured.png

At the second step of user authentication, you can now use one-time passwords sent to your phone number:

Xc3 2step sms auth.png

Important: After setting up your preferred user authentication method, be sure to create and save a list of backup codes for access to X-Payments:

If necessary, you can change the phone number at which you receive SMS/text messages with one-time passwords. Note that to complete the task you will be required to enter a one-time password from an SMS/text message sent to your currently connected device (If you have authentication via Google Authenticator enabled as an additional method, you can also use a one-time password generated by Google Authenticator instead of the password from the SMS/text messsage - these passwords are the same and can be used interchangeably).

To change the phone number associated with your 2-step authentication settings, complete the following steps:

  1. On the configuration page for the authentication method based on using SMS/text messages (SMS/Text message 2nd step verification), click the Change phone number button:
    Xp3 2step sms phone change.png
    A popup window will be displayed providing a form for you to enter a one-time password from an SMS/text message sent to your currently connected device.
    Xp3 2step sms phone change1.png
  2. Type in the one-time password from the SMS/text message (or from Google Authenticator) and click Enter. The popup window will be closed, and a note "Success! Phone number removed" will be displayed at the top of the screen:
    Xp3 2step sms phone change2.png
  3. On the method configuration page, add your new phone number and get it verified.


Setting up user authentication with backup codes

We by all means recommend that you set up more than one method to verify your user identity. At the very least, you should create and save a list of backup codes. These codes will help you to regain access to the X-Payments back end if you lose the phone associated with your two-factor authentication settings, or if the authentication method you normally use becomes unavailable for some reason.

To create your backup codes:

  1. In the X-Payments back end, go to the profile details page (Profile > View details) and click the "Backup codes configure" link:
    Xp3 2step bc configure link.png
    This opens the Backup auth codes page:
    Xp3 2step backup codes.png
  2. On the page, click the Generate backup codes button:
    Xp3 2step backup codes1.png
    A popup window will be displayed providing a form for you to enter a one-time password from your preferred authentication method:
    Xp3 2step backup codes2.png
    Type in the one-time password from Google Authenticator or an SMS/text message and click Enter. The popup window will be closed, and you will see a list of backup codes generated for you:
    Xp3 2step backup codes3.png
    Note that the codes are unusable until you confirm you have saved them, so don't close the page just yet!
  3. Click the Download or print codes button to save the codes:
    Xp3 2step backup codes4.png
    Be sure to store the list of your backup codes in a secure place.
  4. Click the I confirm that I've saved the backup codes button to activate the codes.
    Xp3 2step backup codes5.png
    The codes will be activated:
    Xp3 2step backup codes6.png

Now you can use the codes to access the X-Payments back end.


Setting up an additional/alternative method of user authentication

To be able to log in to X-Payments with 2-step user authentication, you are required to set up at least one user authentication method - Google Authenticator or SMS/text messages. However, choosing one method does not mean you may not use the other one. It is possible to configure your X-Payments so you can use authentication via Google Authenticator or authentication via SMS/text messages based on what is more convenient to you at the moment. To do so, after configuring your primary authentication method (for example, Google Authenticator), you should configure the other authentication method (in our case, authentication with SMS/text messages via Twilio) as an additional method. To access the configuration page for your additional authentication method, use the "configure" link on your profile details page (Profile > View details):

Xp3 2step sms configure link.png

Once both the authentication methods have been set up properly, you will be able to use any of them for the authentication of your user identity. The one-time passwords generated for your preferred and additional user authentication methods will be fully identical, which means you will be able to use a password generated by Google Authenticator when asked for a password from an SMS/text message, and vise versa.

Changing your preferred user authentication method

If you need to change your preferred user authentication method (for example, if you want to switch from Google Authenticator, which is your primary and preferred auth method, to SMS/text messages, which is your additional auth method), do the following:

  1. In the X-Payments back end, go to your profile details page and click on the configure link for the user authentication method that you wish to use as your preferred one:
    Xp3 2step sms configure link1.png
  2. On the configuration page for the chosen authentication method, click the button Set this method as preferable:
    Xp3 2step sms make preferable.png
    The authentication method will be updated and set as your preferred method:
    Xp3 2step sms make preferable1.png

Note that the button Set this method as preferable does not appear on the page if the method is already your preferred one.

Configuring X-Payments to skip the 2nd step of user authentication

If you log in to X-Payments most of the time from the same device, you may want X-Payments to remember you temporarily on that device and disable the 2nd step of user authentication for you for two weeks. This can be easily achieved by enabling the option "Skip this for two weeks" which you can see at the second step of user authentication below the field for entering one-time passwords for user authentication:
Xp3 2step ga skip.png
After you log in for the first time with this option activated, X-Payments remembers your device and stops asking you for one-time passwords when you use that device to log in. You can view the list of devices "remembered" by your X-Payments in the section "Devices data for 2nd step authentication":
Xp3 2step ga skip1.png
To access the list of devices for which the 2nd step of user authentication is skipped, click on the section name (which is a link); the list of devices will be expanded below:
Xp3 2step ga skip2.png
You can clear the list at any time by clicking the Clear device data button:
Xp3 2step ga skip3.png
After you clear the list, X-Payments will use full-featured two-step authentication for you on all devices again.