Cloudbeds Release Notes - October 2018


October Release improves myfrontdesk access security, guests' credit card data security, and includes 2Factor Authentication UX enhancements

Automatic User Logout after x-minutes of Inactivity

We are adding the option for property owners to choose whether a user should get automatically logged out after being inactive*, or if once a user logs in they should stay logged in indefinitely. 

Property owners should proceed to their Security page and select the users they want to apply the rule to, then select “Set Auto Logout” from the Actions dropdown list. They can enter either how many minutes of inactivity they wish to allow, or if they can type zero or leave the space blank if they don't want auto logout.

*An inactive user is someone who is no longer active on the application.

2Factor Authetication for Users with no Credit Card viewing access (using managerial credit card password override)

It is currently possible for a user without credit card viewing privileges to access credit card details: this is accomplished with what’s called a "managerial override" (when a user enters the account & credit card viewing password of a user who has credit card viewing privileges). This managerial override exists to add a layer of convenience for front desk workers.

With this release we add additional protection layer to this process by adding a 2 Factor Authetication flow:

  • When a user attempts to perform a managerial credit card password override on an unrecognized device, the user will be prompted with a 2FA flow.
  • This includes sending a verification code to a user’s preferred 2FA method, or letting the user choose a new method.
  • It won't allow a user to pass 2FA with the recovery code.
  • When a user successfully enters the verification code he will be shown the credit card details and this device will be trusted for 30 days. When a device is trusted, the user without credit card viewing privileges will still need to enter the managerial override credentials.
Remove credit card details of cancelled reservations 30 days after cancellation/no-show date

With this release the system will remove credit card details 30 days after the cancellation/no-show date due to security purposes.

30 days would make it possible for a property to reconcile no-show/cancellation fees once a month (if they don’t do it daily/weekly) or to perform a refund if needed.

Flow After Logging in With Emergency Code

The emergency code is a necessary part of 2 Factor Authentication to help users log in if they lose access to their authentication device. This may be because they got a new phone number or a new phone. Users who lose their authentication device should verify a new device as soon as possible. For security purposes, the emergency code can only be used once.

This release will make it easier to verify a new device:

  • upon successfully entering the emergency code, the user should be redirected to the User Profile page to re-verify.
  • the 2 Factor Authentication modal will automatically open. The user would be expected to verify with a new device.
  • If needed, the user should be able to close window, however closing this modal will be noted in the activity log.
  • It is the user’s responsibility to verify a new device after using the emergency code.
Button to Generate New Emergency Code

The emergency code allows a user to log in from a trusted device when they are unable to 2 Factor Authetication. A user may be unable to perform 2 Factor Authentication because they changed their phone number or they do not have their authentication device with them.

Before release a user had no way to view their emergency code after they verify: it’s possible for a user to verify and close the modal without writing down or saving the emergency code.

We will be adding a new button to the 'User Profile' page so users can generate a new emergency code.

Powered by Zendesk