Two-Factor Authentication (2FA) for Reseller Account Access

What is 2FA?

Two-factor authentication is an additional level of security when accessing an account. In addition to entering a password, the user will provide an additional means of identification from a separate category of credentials: either a time-based token obtained through an app, or one obtained via SMS.

You may have both types of 2FA enabled at once.  The most recently-enabled type will be default unless you change it following the instructions in the FAQ below.

Important: If you previously shared a single login among several users, and you would like to enable 2FA, you will need to create a separate user for each individual who needs to log in - time-based tokens cannot be shared by multiple people.

How do I enable 2FA using app-based authentication for a user account?

1. Log into the Reseller Control Panel and go to Settings, then choose Account Profile
.

2. There will be a new area: “2-Factor Authentication”
.

3. To enable 2FA, click Edit
.

How do I enable 2FA using app-based authentication for a user account?

4. Choose Enable Authenticator App. To proceed with editing, you will need to provide your reseller account password again
.

 

5.  To set up 2-Factor Authentication using an authenticator app on your smartphone, you will be presented with a key and a QR code (the QR code expresses the same key). Scan the QR code using the authenticator app on your phone (for example, here are instructions on how to install Google Authenticator), or enter the key manually in your app
.

6. Once completed, the app will return a code to you
. Enter this code in the box and click on Enable
.

 

7. You will receive 10 recovery codes that you can use in case you are unable to access your authenticator app
.  Please print these and keep them protected.

8. 2FA is now enabled as the default option, and a newly-generated six-digit token from your authenticator app will be requested upon your next login.

How do I enable 2FA using SMS-based authentication for a user account?

1. Log into the Reseller Control Panel and go to Settings, then choose Account Profile
.

2. There will be a new area: “2-Factor Authentication”
.

3. To enable 2FA, click Edit
.

 

How do I enable 2FA using SMS-based authentication for a user account?

4. Choose Enable SMS. To proceed with editing, you will need to provide your reseller account password again
. Input your mobile phone number and click Next.

5. You will receive an SMS with a token on your phone. Insert that code in Step 2 and click Enable.

6. You will receive 10 recovery codes that you can use in case you are unable to access your SMS
.  Please print these and keep them protected.

7. 2FA is now enabled as the default option. Every time you log in, after inputting your username and password you will receive an SMS with a token. You will use this token to complete your login.

How will 2FA work when logging into OpenSRS?

  1. Enter your username and password and submit.

  2. If 2FA is enabled for your account, you will then be prompted to enter a token.

  3. If SMS-based authentication is your default 2FA option, you will receive a login token via SMS.

  4. If Authenticator App is your default 2FA option, you will need to open the app on your phone and locate the token for OpenSRS in the app.

  5. Enter the token into the prompt box.

  6. OpenSRS will validate the token and grant access to the Resellers Control Panel
.

If 2FA is enabled for a user, the token will be required when the user logs in to the Resellers Control Panel AND the Reseller Web Interface (RWI).

FAQ

How can I log in if I don’t have my phone?

Log in using the emergency tokens you were provided when you enabled 2FA.  Using one of these tokens will disable 2FA, so you will need to re-enable it using your selected process above.

How can I disable 2FA for my account?

  1. Log into the Reseller Control Panel and go to Settings, then choose Account Profile
.
  2. Under 2-Factor Authentication, click Edit.
  3. Select Disable.

or

Use one of the emergency tokens to log into your account.

How can I change the default login method?

  1. Log into the Reseller Control Panel and go to Settings, then choose Account Profile
.
  2. Under 2-Factor Authentication, click Edit.
  3. Select Change default login method and select your choice.

How can I see which users in my reseller account have 2FA enabled?

Log into the Reseller Control Panel and go to Settings Account Settings - Manager Users


If I use Authenticator App for app-based 2FA, are my user credentials, or any other private information, shared with the App provider (e.g., Google)?

No, the app just takes the seed key we provide to you to generate a time-based token. It does not send any information to the provider, and does not require a live internet connection to generate a token, since it is completely based on the key and the initial token you entered during setup.

How can I retrieve my emergency tokens if I didn’t print them initially?

If you still have access to your account, you can regenerate recovery tokens under Account Profile > 2FA > Regenerate Recovery Tokens.  It is important to note that each time you generate new tokens, the previous set is invalidated.

Have more questions? Submit a request

4 Comments

  • Avatar
    domain

    It's a little early for April Fools Day, isn't it? Once again, OpenSRS forces yet another destructive, arbitrary 'surprise' in the form of a barrier that will further impede Resellers from effectively fulfilling their duties. Once again, absolutely no consultation whatsoever with the Resellers, for whom this ultimately affects most. Was this not part of your consideration process? Did you poll any Resellers at all, to see how yet another arbitrary, drastic step might be greeted? Why Not? I completely agree that security is important, but surely you can do better than this convoluted mess? I'm seriously beginning to question whether there's anyone at the helm of this ship, someone with a clear understanding of your relationship with Resellers.

    So what if I don't have access to an 'App', or 'SMS'? Now I am forced to use some mysterious 'Emergency token' before I'm able to log in and perform my duties? Explain why it is that I am left to only log in using a method that's somehow associated with an 'Emergency'? It just defies all logic. 'Emergency'? The only "Emergency' here, is that you have once again failed to properly consider and consult with your Resellers, and arbitrarily dumped this on us. Just like you haphazardly did in August, and fell far short in addressing valid questions at that time. What kind of relationship model are you building here? Disappointing and thoroughly ridiculous. You can do better. Here is the ultimate question: Why is OpenSRS NOT working with, and for Resellers??? Is that not in all our best interests?

    And BTW, 2FA is not without it's issues:
    http://www.scmagazineuk.com/gmail-account-gets-hacked-despite-2fa/article/381157/

  • Avatar
    Mark L.

    Hello,

    Thanks for your comments about the introduction of 2 factor authentication. Please be advised that this is not a mandatory feature, so you are more than welcome to not use it. It is designed for resellers who want to implement an extra step in the login process for added security. Instead of only needing to know the password for the account, users are prompted to enter a code displayed on their mobile device to gain access to the account. This prevents access to anyone without access to both the password to the account and the mobile device which displays the code.

    Again, it is not required for you to use, so since you do not seem to like the introduction of this feature, you can simply leave it disabled.

    If you have any other concerns, please email help@opensrs.com

    Thanks,
    Mark.

  • Avatar
    domain

    My problem with this, is with the way that it was presented. It's not entirely clear. "2FA is now enabled as the default option" suggests you've enabled it already, without any prior consultation with Resellers. Perhaps it would have been less surprising to introduce this as an opt-in, rather than opt-out. I'm not against change for the greater good, but I don't like things changing without any notice, especially when it affects my business, and adds to our support overhead, like last month's fiasco. Sorry, but something is definitely awry with the way you're communicating these things to Resellers lately. It affects the confidence and trust we've built on, and expected over the last dozen or so years.

  • Avatar
    Joe Winett

    I wish the 2FA would provide a "trust me on this computer" option instead of putting me through the second factor ten times a day. :)

Please sign in to leave a comment.
Powered by Zendesk