Background.
Multi-factor authentication (MFA) is used by many systems to add an additional layer of security, in order to protect user accounts from becoming compromised. This is most commonly in place nowadays to protect online banking, with a one-time password, 6-digit code, being sent by email or SMS to confirm a login or authorise a payment transaction online.
MFA in Caterbook.
The latest version of the Payment Card Industry Security Standard (PCI DSS) mandates that MFA should be in place for software where payment cards can be processed.
Caterbook now supports MFA for all accounts. We strongly recommend that you adopt it at your property now, prior to it becoming mandatory over the coming weeks. If a staff user's login were ever compromised, a malicious actor could potentially contact your guests and request they revalidate their payment card details using a convincing, but faked, landing page, and then use those details to commit fraud. Adopting MFA would make it more difficult for an unauthorised person to access the account.
Our implementation supports a choice of 3 methods; 'Email only', 'SMS only', or 'Email and SMS' - where the end User can choose at the time of logging in whether to have a 6-digit code sent to their configured email address or mobile number.
By far and away the most secure (and quickest to receive) method is to use 'SMS only', assuming your property has adequate mobile phone coverage. Why? Because email accounts are more likely to be compromised than a mobile phone. It's possible that if an end user's password becomes known to a malicious actor, it's because the email account that's tied to their User account has been hacked and a password reset has been picked up by the hacker. They'd also pick up the MFA code if sent via email.
Note: To make use of SMS, you would need to have an SMS plan active on your account. Prices start from just £6.50 per month for 100 SMS credits. Please contact support@caterbook.com to have this activated.
Setting up MFA.
To activate MFA, from Settings > Property > Property list, click on the property name. Then, scroll down to the bottom of the pop-up screen. Select the 'Multi-factor authentication' method. You can also set a 'Grace period', during which Users won't be asked again for the MFA code.
The two 'Email' methods will use the email address currently associated with a User login. Once again, and to be clear, if the user's email account is compromised, the attacker will have access to the six digit code, so these are the least secure option.
SMS (text) messages would go to the mobile phone number associated with a User login - normally their own personal mobile number, and these can now be entered in a new 'Mobile phone' field under Settings > Users (click on the notepad & pencil icon icon to edit the User Details).
For security and GDPR purposes, once entered, this value can only be seen fully by the logged in User themselves. Any Owner or Manager level User with access to this screen will see a masked number, with only the last 4 digits visible.
Once the MFA feature is activated for either 'SMS only' or 'Email and SMS', if a User that has no phone number configured tries to log in, a code will instead be sent via email.
Each User should have their own unique User account for logging in. Having a generic "Reception" type of user login is not recommended, and in fact would breach your own obligations under the PCI DSS.