We are adding the option for property owners to choose whether a user should get automatically logged out after being inactive*, or if once a user logs in they should stay logged in indefinitely.
Property owners should proceed to their Security page and select the users they want to apply the rule to, then select “Set Auto Logout” from the Actions dropdown list. They can enter either how many minutes of inactivity they wish to allow, or if they can type zero or leave the space blank if they don't want auto logout.
*An inactive user is someone who is no longer active on the application.
It is currently possible for a user without credit card viewing privileges to access credit card details: this is accomplished with what’s called a "managerial override" (when a user enters the account & credit card viewing password of a user who has credit card viewing privileges). This managerial override exists to add a layer of convenience for front desk workers.
With this release we add additional protection layer to this process by adding a 2 Factor Authetication flow:
- When a user attempts to perform a managerial credit card password override on an unrecognized device, the user will be prompted with a 2FA flow.
- This includes sending a verification code to a user’s preferred 2FA method, or letting the user choose a new method.
- It won't allow a user to pass 2FA with the recovery code.
- When a user successfully enters the verification code he will be shown the credit card details and this device will be trusted for 30 days. When a device is trusted, the user without credit card viewing privileges will still need to enter the managerial override credentials.
With this release the system will remove credit card details 30 days after the cancellation/no-show date due to security purposes.
30 days would make it possible for a property to reconcile no-show/cancellation fees once a month (if they don’t do it daily/weekly) or to perform a refund if needed.
The emergency code is a necessary part of 2 Factor Authentication to help users log in if they lose access to their authentication device. This may be because they got a new phone number or a new phone. Users who lose their authentication device should verify a new device as soon as possible. For security purposes, the emergency code can only be used once.
This release will make it easier to verify a new device:
- upon successfully entering the emergency code, the user should be redirected to the User Profile page to re-verify.
- the 2 Factor Authentication modal will automatically open. The user would be expected to verify with a new device.
- If needed, the user should be able to close window, however closing this modal will be noted in the activity log.
- It is the user’s responsibility to verify a new device after using the emergency code.