Overview
Cloudbeds has introduced step-up authentication for sensitive actions within Guest Experience (GX) to provide an additional layer of account security.
This security enhancement helps protect properties against unauthorized access and account takeover attempts by requiring users to verify their identity again before completing certain high-impact actions.
After a successful verification, the user remains trusted for 8 hours, minimizing disruptions during normal operations while still improving security protection.
What is Step-up Authentication?
Step-up Authentication is an additional identity verification prompt that appears before a sensitive action can be completed. Even if a user is already logged in, they may be asked to confirm their identity again using multi-factor authentication (MFA).
Why Cloudbeds Introduced This Feature
Hospitality systems continue to face increasingly sophisticated account takeover attempts targeting:
- Guest communications
- Marketing campaigns
- Email domain settings
- Automation workflows
- Messaging systems
Step-up Authentication helps reduce the impact of:
- Compromised sessions
- Shared or unattended workstations
- Stolen credentials
- Unauthorized access attempts
Even if someone gains access to an active session, they cannot perform protected actions without successfully completing a fresh verification challenge.
How Step-up Authentication Works
When a user accesses Guest Experience (GX) through Cloudbeds PMS and attempts a protected action:
- Cloudbeds checks whether the user has completed a recent step-up verification
- If no valid verification exists within the last 8 hours:
- The user is prompted to verify their identity as follows:
- Once verification succeeds:
- The user becomes trusted for the next 8 hours
- During the trust window:
Additional protected actions will not trigger another prompt
After the 8-hour window expires, the next protected action will require re-verification.
Supported Verification Methods
Depending on the property's authentication setup, users may verify using:
- Authenticator app (TOTP)
- Push notification
- WebAuthn / Security Key
- SMS code
- Voice verification
Email verification
Actions Protected by Step-up Authentication
Important
Step-up Authentication cannot be disabled for protected actions. This security layer is applied automatically to all accounts with Guest Experience access.
The following actions currently require step-up verification:
- Messaging Approved Links
- Add approved links
- Remove approved links
- Campaigns
- Send campaigns
- Guest Portal
- Edit Guest Portal settings
- Phone Numbers
- Purchase phone numbers
- Guest Chat
- Upload media/files
- Custom Email Domains
- Add domains
- Verify domains
- Edit sender name
- Edit reply-to address
- Automations and Auto-messages
- Create automations
- Edit automations
- Create auto-messages
- Edit auto-messages
- Boosting Credits
- Purchase or manage boosting credits
Frequently Asked Questions
Sensitive actions inside GX now require an additional verification step to protect against compromised or unattended sessions.
Once every 8 hours for protected actions after successful verification.
No. After successful verification, your session remains trusted for 8 hours.
No. This is expected security behavior introduced to strengthen account protection.
No. This feature is automatically enabled for all Guest Experience accounts.
Troubleshooting
Check:
- Your MFA device or authenticator app
- SMS or email delivery
- Spam/junk folders
- Network connectivity
Possible causes include:
- The 8-hour trust window expired
- Browser cookies/session data were cleared
- Incognito/private browsing mode
- Browser session resets
Comments
Please sign in to leave a comment.