1. Cloudbeds
  2. Configuration Hub
  3. Cloudbeds Booking Engine
  4. Booking Engine Customization

Step-up MFA for Booking Engine Custom HTML and JavaScript Fields

Gabriela Garcia
Updated

Hospitality businesses manage sensitive guest and reservation details, and those details can be targeted through compromised staff accounts, phishing attempts, or unauthorized session access. Booking Engine custom code fields are especially sensitive because changes to these fields can affect the guest-facing booking experience.

Cloudbeds uses step-up multi-factor authentication (MFA) to add an extra layer of protection when staff users edit sensitive Booking Engine custom HTML or JavaScript fields. When a user changes one of these protected fields and clicks Save, Cloudbeds may ask the user to verify their identity before the changes are saved.

This verification step helps reduce the risk of unauthorized code changes while allowing approved users to continue managing Booking Engine customizations securely.

 This security step applies only when specific Booking Engine custom code fields are changed. Guests using the Booking Engine are not affected.

Booking Engine custom fields protected by step-up MFA

Step-up MFA applies when saving changes to any of the following Booking Engine fields:

  • Custom Header
  • Custom Footer
  • Custom Meta Tags
  • JavaScript
  • Confirmation Page JavaScript

Other Booking Engine settings, such as colors, logos, room cards, policies, languages, payment options, and rate settings, do not trigger this MFA prompt.

How step-up MFA works when editing Booking Engine custom code

  1. Go to Account > Settings > Booking Engine.
  2. Click the Customize tab.
  3. Edit one or more protected custom code fields.
  4. Click Save.

Booking Engine Customize tab showing the protected custom code fields, such as Custom Header, Custom Footer, Custom Meta Tags, and JavaScript.

  1. If prompted, complete the additional verification step.
Additional verification modal displayed after clicking Save
  1. After successful verification, Cloudbeds saves the changes automatically. Open your Booking Engine page to review how the changes appear to guests.

 If the user clicks Cancel in the verification modal, the changes are not saved. The information entered in the form remains available so the user can click Save again and retry verification.

Verification methods supported by step-up MFA

Depending on the property's authentication setup, users may be able to verify their identity with one of the following methods:

  • Authenticator app code
  • Okta Verify push notification
  • WebAuthn or security key
  • SMS code
  • Voice verification
  • Email verification
Screenshot showing the factor selection screen, if available.

 Learn more: Multi-Factor Authentication - Everything you need to know.

How often users need to verify

After a successful verification, the user remains trusted for up to 8 hours for the same property and network connection.

During this 8-hour period, additional saves to protected Booking Engine custom code fields generally do not require another verification prompt, as long as the user is working with the same property and the same source IP address.

 If the user's IP address changes during the session, such as after turning a VPN on or off or switching networks, Cloudbeds may ask the user to verify again.

What happens when verification is successful

When the user completes the MFA prompt successfully, Cloudbeds saves the Booking Engine custom code changes. A confirmation message appears after the changes are saved.

Booking Engine success notification: “Your changes have been saved.”

What happens when verification fails

If verification fails, the changes are not saved, and the system shows a verification failed message: “Verification failed. Please try again.” 

The user can review the code, confirm the verification method, and try again.

FAQ step-up MFA for Booking Engine custom fields

Why am I being asked to verify my identity when saving Booking Engine custom code?

Cloudbeds asks for additional verification when sensitive Booking Engine custom code fields are changed. This helps protect the guest-facing Booking Engine from unauthorized custom HTML or JavaScript changes.

Will I need to verify every time I save changes?

No. After successful verification, the session remains trusted for up to 8 hours for the same user, property, and IP address. During that period, additional saves to protected fields generally do not trigger another prompt.

Why am I being asked to verify again within the same day?

This can happen if the 8-hour trust window expires or if the user's IP address changes. Common causes include VPN changes, switching networks, browser session resets, or using a private/incognito browser window.

What happens if I cancel the verification prompt?

The changes are not saved. The form remains available with the entered information so the user can click Save again and complete verification.

Can step-up MFA be disabled for Booking Engine custom code fields?

No. Step-up MFA is a security layer applied to protected Booking Engine custom code fields. There is no per-user or per-save skip option.

What should I do if I do not have an MFA method available?

Contact your property administrator for help setting up an MFA method for your user account. If additional help is needed, contact Cloudbeds Support.

Does this affect guests booking through the Booking Engine?

No. This verification step only applies to staff users editing protected Booking Engine custom code fields in Cloudbeds PMS. Guests completing reservations through the Booking Engine are not affected.

Does step-up MFA apply when editing non-code Booking Engine settings?

No. Changes to non-code settings, such as colors, logos, room cards, policies, languages, payment options, and rate settings, do not trigger the step-up MFA prompt.

 Related articles:

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.