This article deals with setting up two-factor (OTP) authentication for access to the customer administration panel. You can find additional security methods in the article Administration – Customer Account Security.
In this article, you will learn:
- How two-factor (OTP) authentication works
- What you need to use OTP
- How to enable OTP authentication
- How to disable it
- Common issues
- Frequently asked questions
How OTP Works
OTP stands for One Time Password. It is a six-digit single-use code that is valid for 30 seconds. After this time, a new password is generated based on the so-called shared key. You create this key when you activate OTP authentication and it is stored both on our server and in the device you use as an authentication tool. As long as the device and the server are synchronized with each other, the passwords based on the key match and you can log in with them.
Given the OTP code length and the limited time of its existence, it is very unlikely that an attacker would guess it. In combination with the regular customer account password, it is therefore quite an effective protection.
OTP Authentication Prerequisites
First, make sure you have an up-to-date mobile phone number and email address set up with your customer account. If you lose your authentication device, we will use this data to verify your identity and restore access.
To generate the one-time password itself, you use a device on which you read the corresponding one-time code at a given time. You will most commonly use your mobile phone with these applications:
- Google Authenticator for Android
- Google Authenticator for iOS
- Microsoft Authenticator for Windows Phone
- Authenticator for Firefox OS
If your phone does not support mobile apps, you can use a browser extension:
OTP Activation
If you have:
- set up an up-to-date mobile phone number and email address in the customer administration panel, and
- an OTP generator prepared in a mobile phone or browser,
you can proceed to enable OTP authentication. Follow these steps:
- Log into the customer administration panel.
- In the navigation bar, select My Account >> Customer.
- In the left menu, click Account Security.
- In the Two-Factor Authentication (OTP) section, click the Set OTP button.
- Enter the shared key into your authentication device, or scan the QR code.
- Enter your customer account password and a valid OTP code.
- Click the Activate button.
The next time you log in, the system will prompt you to enter the OTP password.
If you enter a wrong password or another error occurs during activation, delete the existing account from the keychain and start the whole process again. The system will generate a new shared key and invalidate the old one.
You can run the application on multiple devices with a single shared key. You can therefore use a backup solution in case of failure or loss of one device.
OTP Deactivation
If you have access to the customer administration panel, follow the same steps as with activating OTP, but in Account Security, click the Disable button in the Two-Factor Authentication (OTP) section instead.
Lost OTP Device
If you do not have access to the customer administration panel due to the loss of the OTP authentication device, follow these steps:
- Enter your customer administration panel username and password.
- In the next step, click the I lost my OTP keycard button.
- Check your mailbox. Within 5 minutes of sending the request, click the link in the email WEDOS Internet – Deactivate OTP from wedos@wedos.com.
- Follow the link and click the Send SMS button.
- Enter the SMS code.
- Complete CAPTCHA and click the Send button.
OTP is now disabled.
Common Issues
Common problems with OTP authentication include:
OTP Activation Failed
Issue: Due to an error, the activation did not complete correctly.
Solution: Delete the shared key from the device and activate OTP again from the beginning.
Unavailable Email or Phone
Issue: We want to disable OTP but we don’t have access to that email or phone.
Solution: Contact us via the form. Provide your account login email and OTP deactivation request. The WEDOS authorization department will usually get back to you within 1 working day.
FAQ
Question: How do I get an OTP generator if I don’t have a smartphone?
Answer: All sorts of OTP generators exist, including browser extensions.
Question: Can I have more keychains? How do I set them up?
Answer: You can also add them later by displaying the shared key in the customer admin panel.