Difference between revisions of "X-Payments:Two-factor authentication"

From X-Payments Help
Jump to: navigation, search
m (Setting up user authentication with SMS/text messages)
m
 
(32 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
<noinclude>{{XP_manual_TOC}}</noinclude>
 +
 
__NOTOC__<br>
 
__NOTOC__<br>
 
Starting with X-Payments version 3.0, we have changed the system of user authentication in X-Payments.
 
Starting with X-Payments version 3.0, we have changed the system of user authentication in X-Payments.
Line 9: Line 11:
 
The authentication methods based on using the Google Authenticator app and SMS/text messages are primary methods; they can be used independently or alongside one another. Authentication with backup codes is a complementary method; it can be used as a fallback user authentication method if your primary method is unavailable for some reason.
 
The authentication methods based on using the Google Authenticator app and SMS/text messages are primary methods; they can be used independently or alongside one another. Authentication with backup codes is a complementary method; it can be used as a fallback user authentication method if your primary method is unavailable for some reason.
  
So, if you have installed the latest version of X-Payments, or have upgraded to X-Payments version 3.0 (or later), the first time you will attempt to log in to X-Payments - right after entering your login and password - you will be required to choose a method for the 2nd step of user authentication that you would like to use:<br />[[File:xp3_2step_choose_method.png|border]]<br />
+
So, if you have installed the latest version of X-Payments, or have upgraded to X-Payments version 3.0 (or later), the first time you will attempt to log in to X-Payments - right after entering your login and password - you will be required to choose a method for the 2nd step of user authentication that you would like to use:<br />
 +
:[[File:xp3_2step_choose_method.png|border]]<br />
 
The available options here are user authentication with the Google Authenticator app and user authentication with SMS/text messages. To continue with the setup of the chosen method, click the '''Continue''' button. You will be directed to the method configuration page. To set up the chosen method for use with your X-Payments, follow the instructions below:
 
The available options here are user authentication with the Google Authenticator app and user authentication with SMS/text messages. To continue with the setup of the chosen method, click the '''Continue''' button. You will be directed to the method configuration page. To set up the chosen method for use with your X-Payments, follow the instructions below:
:* [[#GAappAuthentication | Setting up user authentication with the Google Authenticator app]]
+
:* [[X-Payments:Setting_up_user_authentication_with_the_Google_Authenticator_app | Setting up user authentication with the Google Authenticator app]]
:* [[#SmsAuthentication | Setting up user authentication with SMS/text messages]]
+
:* [[X-Payments:Setting_up_user_authentication_with_SMS/text_messages | Setting up user authentication with SMS/text messages]]
 
 
The authentication method you choose before your first login to X-Payments will be set as your preferred method for user verification. If you wish, later you will be able to [[#AltAuthMethod | set up an additional/alternative method]] of user authentication and, if necessary, [[#ChangePreferredAuthMethod |change your preferred method]].
 
 
 
After setting up your primary authentication method, we strongly recommend that you create a list of backup codes that will allow you access to X-Payments if the user authentication method(s) you normally use are not working:
 
:* [[#BackupCodesAuthentication | Setting up user authentication with backup codes]]
 
 
 
<div id="GAappAuthentication"></div>
 
==Setting up user authentication with the Google Authenticator app==
 
This authentication method is based on using the Google Authenticator application which you install on your phone. The application is connected to your X-Payments installation, after which it can generate one-time passwords that serve as the second piece of evidence to prove your identity after you have entered your X-Payments login and password.
 
 
 
To set up user authentication via the Google Authenticator app, follow these steps:
 
# Install the Google Authenticator app on your phone/mobile device. The installation instructions are available [https://support.google.com/accounts/answer/1066447?hl=en here].
 
# In the X-Payments back end, go to the configuration page for the authentication method based on using Google Authenticator ('''2-step authentication with Google Authenticator''').<br />[[File:xc3_2step_ga_method_config.png|border]]<br />This page opens automatically after you select Google Authenticator as your preferred user authentication method when you log in to X-Payments for the first time. Also, you can access this page at any time using the "Google Authenticator app <u>configure</u>" link on your profile details page ('''Profile''' > '''View details'''):<br />[[File: .png|border]]<br />
 
# Sync the time on the device where you have installed the Google Authenticator app with the time in X-Payments. Never mind the time zone difference; it is only the minutes and seconds that need to be synchronized. The current time in X-Payments is displayed right on the '''2-step authentication with Google Authenticator''' page:<br />[[File:xc3_2step_ga_method_config1.png|border]]<br />
 
# Add your X-Payments account to the Google Authenticator App. To do so, scan the QR code on the right-hand side of the '''2-step authentication with Google Authenticator''' page:<br />[[File:xc3_2step_ga_method_config2.png|border]]<br />Or use the Secret code displayed below the QR code to manually register your X-Payments account in the Google Authenticator app:<br />[[File:xc3_2step_ga_method_config3.png|border]]<br />
 
# To test the configuration, enter a one-time password from your Google Authenticator application on the '''2-step authentication with Google Authenticator''' page and click "Check":<br />[[File:xc3_2step_ga_check.png|border]]<br />Note that the lifetime of a one-time password is one minute, and the same code cannot be used more than once.<br />
 
Provided that the password from the Google Authenticator has been entered correctly, you should see a popup message saying that the authentication method has been configured successfully:<br />[[File:xc3_2step_ga_check_success0.png|border]]<br /><br />
 
Now user authentication via the Google Authenticator app is enabled and configured:<br />[[File:xc3_2step_ga_enabled_configured1.png|border]]<br /><br />At the second step of user authentication, you can now use one-time passwords generated by the Google Authenticator app:<br />[[File:xc3_2step_ga_auth.png|border]]<br /><br />
 
 
 
<div id="SmsAuthentication"></div>
 
==Setting up user authentication with SMS/text messages==
 
This authentication method is based on using one-time passwords received via SMS/text messages. The service is provided by Twilio.
 
 
 
To set up user authentication via SMS/text messages, follow these steps:
 
# In the X-Payments back end, go to the configuration page for the user authentication method based on using SMS/text messages ('''SMS/Text message 2nd step verification''').<br />[[File:xc3_2step_twilio_config.png|border]]<br />
 
# (''This step is required only if using the downloadable edition of X-Payments; not needed for X-Payments Hosted''): Set up an account with Twilio and enter your Twilio account details in the '''Twilio Services setup''' section of the auth method configuration page. Click '''Save''' to save the changes. Provided that your Twilio account details have been added correctly, a new section will be added on the '''SMS/Text message 2nd step verification''' page allowing you to set up a phone number for SMS notifications:<br />[[File:xc3_2step_sms_method_config.png|border]]<br />
 
#
 
 
 
 
 
<div id="BackupCodesAuthentication"></div>
 
  
==Setting up user authentication with backup codes==
+
The authentication method you choose before your first login to X-Payments will be set as your preferred method for user verification. If you wish, later you will be able to [[X-Payments:Setting_up_an_additional/alternative_method_of_user_authentication | set up an additional/alternative method]] of user authentication and, if necessary, [[X-Payments:Changing_your_preferred_user_authentication_method |change your preferred method]].
We by all means recommend that you set up more than one method to verify your user identity. At the very least, you should create backup codes.
 
  
 +
After you configure a method for the second step of user authentication, you will be required to enter a one-time password provided to you via your preferred method of authentication every time you log in to X-Payments, unless you configure X-Payments to [[X-Payments:Configuring_X-Payments_to_skip_the_2nd_step_of_user_authentication | skip this step for two weeks]] on you device.
  
<div id="AltAuthMethod"></div>
+
After setting up your primary user authentication method, we strongly recommend that you create a list of backup codes that will allow you access to X-Payments if you lose the phone associated with your two-factor authentication settings, or if the authentication method you normally use becomes unavailable for some reason:
==Setting up an additional/alternative method of user authentication==
+
:* [[X-Payments:Setting_up_user_authentication_with_backup_codes | Setting up user authentication with backup codes]]
To be able to log in to X-Payments with 2-step user authentication, you are required to set up at least one user authentication method - Google Authenticator or SMS/text messages. However, choosing one method does not mean you may not use the other one. It is possible to configure your X-Payments so you can use authentication via Google Authenticator or authentication via SMS/text messages based on what is more convenient to you at the moment. To do so, after configuring your primary authentication method (for example, Google Authenticator), you should configure the other authentication method (in our case, authentication with SMS/text messages via Twilio) as an additional method. To access the configuration page for your additional authentication method, use the "<u>configure</u>" link on your profile details page ('''Profile''' > '''View details'''):<br />[[File:xp3_2step_ga_enabled_configured0.png|border]] - ???<br />
 
Once both the authentication methods have been set up properly, you will be able to use any of them for the authentication of your user identity. The one-time passwords generated for your preferred and additional user authentication methods will be fully identical, which means you will be able to use a password generated by Google Authenticator when asked for a password from an SMS/text message, and vise versa.
 
  
<div id="ChangePreferredAuthMethod"></div>
+
[[Category:X-Payments User Manual]]
==Changing your preferred user authentication method==
 
If you need to change your preferred user authentication method, you can access your authentication method settings from your profile details page:<br />[[File:xp3_2step_ga_enabled_configured0.png|border]]
 

Latest revision as of 17:12, 30 March 2017

X-Payments user manual
  1. X-Payments:General information
  2. What's New
  3. System requirements
  4. Installation
  5. Two-factor user authentication
  6. Configuring X-Payments
  7. Managing users
  8. Customizing the interface
  9. Managing payments
  10. Unistalling X-Payments
  11. Upgrading
  12. Moving X-Payments from one host to another
  13. Viewing X-Payments logs
  14. FAQ
  15. Troubleshooting
  16. Glossary
  17. Supported payment gateways
  18. Popular Payment Methods Configuration Instructions


Starting with X-Payments version 3.0, we have changed the system of user authentication in X-Payments.

In the previous versions of X-Payments, we already used an authentication method that depended on more than one "factor": to access the X-Payments back end, a user had to prove their identity by presenting two separate pieces of evidence - 1) a login and a password; 2) a PIN code. In X-Payments version 3.0, user authentication is still based on the two-factor model, but we have provided more options regarding the second component required for user identification. Instead of PIN codes, X-Payments now provides three methods which can be used to verify a user's identity after authenticating them via a login and a password:

  • authentication with the Google Authenticator application;
  • authentication via SMS/text messages (Twilio integration);
  • authentication via backup codes generated by X-Payments.

The authentication methods based on using the Google Authenticator app and SMS/text messages are primary methods; they can be used independently or alongside one another. Authentication with backup codes is a complementary method; it can be used as a fallback user authentication method if your primary method is unavailable for some reason.

So, if you have installed the latest version of X-Payments, or have upgraded to X-Payments version 3.0 (or later), the first time you will attempt to log in to X-Payments - right after entering your login and password - you will be required to choose a method for the 2nd step of user authentication that you would like to use:

Xp3 2step choose method.png

The available options here are user authentication with the Google Authenticator app and user authentication with SMS/text messages. To continue with the setup of the chosen method, click the Continue button. You will be directed to the method configuration page. To set up the chosen method for use with your X-Payments, follow the instructions below:

The authentication method you choose before your first login to X-Payments will be set as your preferred method for user verification. If you wish, later you will be able to set up an additional/alternative method of user authentication and, if necessary, change your preferred method.

After you configure a method for the second step of user authentication, you will be required to enter a one-time password provided to you via your preferred method of authentication every time you log in to X-Payments, unless you configure X-Payments to skip this step for two weeks on you device.

After setting up your primary user authentication method, we strongly recommend that you create a list of backup codes that will allow you access to X-Payments if you lose the phone associated with your two-factor authentication settings, or if the authentication method you normally use becomes unavailable for some reason: