Cloudbeds uses Multi-Factor Authentication (MFA) and Step-up Authentication to help protect your property account, guest data, and sensitive workflows from unauthorized access.
This article provides a quick overview of what Step-up Authentication is, why it matters, where it is currently used in Cloudbeds, and how to get started with MFA. For detailed setup instructions or product-specific behavior, use the related articles linked throughout this page.
What is Step-up Authentication?
|
Why this matters
🔐 Hospitality accounts may contain sensitive guest, reservation, payment-related, communication, and operational data. If an account or active session is accessed by someone who should not have access, the impact can affect both the property and its guests.
🛡️ Step-up Authentication helps reduce this risk by adding another layer of protection exactly when it matters most: before high-impact actions are completed.
How Step-up Authentication helps protect your property
Step-up Authentication adds value by helping protect against common security risks, such as:
- Unauthorized access from compromised login credentials
- Someone using an unattended workstation or active session
- Attempts to export or access sensitive guest and reservation data
- Unauthorized changes to guest-facing settings or communications
- Higher-risk actions completed without a fresh identity check
This security layer is especially important for actions that can expose guest information, modify guest-facing content, send communications, or affect how your property interacts with guests.
What users can expect
|
When Step-up Authentication is required, the user will see an additional verification prompt before the protected action is completed. Depending on the property's authentication setup and the user's available methods, the user may be able to verify with options such as:
|
After successful verification, the protected action can continue. If verification is canceled or fails, the action will not be completed until the user verifies successfully.
How long users remain trusted
After a successful Step-up Authentication challenge, the user generally remains trusted for up to 8 hours for the protected workflow.
The user may be asked to verify again if the trust window expires, the browser session changes, the network or IP address changes, or the user works in a private/incognito browser session.
How to get started with MFA
To use Step-up Authentication successfully, users must have an available Multi-Factor Authentication (MFA) method. Cloudbeds offers different authentication options so each property can choose the method that best fits its team, devices, and daily workflow.
For a complete overview of available MFA options, see Multi-Factor Authentication - Everything you need to know.
If you are not sure which option is the best fit for your team, review Choose the Best Login & MFA Method for You to compare the available methods by user scenario.
Best practices for property owners and admins
To help your team stay secure, avoid access issues, and reduce the risk of unauthorized activity, we recommend the following:
| Create individual user accounts for each staff member instead of sharing credentials. Learn how to manage users in Add, edit or disable users and user's activity log. | |
| Make sure each user has an MFA method that works for their daily workflow. For help comparing options, see Choose the Best Login & MFA Method for You. | |
| Encourage users to bookmark the official Cloudbeds login page and avoid searching for login links online. For login guidance, see How to Log In to Cloudbeds PMS. | |
| Review user roles and permissions regularly, especially access to exports, guest data, messaging, and property settings. Learn more in Role privileges. | |
| Assign at least one backup manager or admin who can help reset MFA for staff if they lose access to their verification method. For more details, see Reset Multi-Factor Authentication. | |
| Train staff to stop and report anything unusual, such as unexpected MFA prompts, suspicious login pages, or account behavior they do not recognize. |
Frequently Asked Questions
Is Step-up Authentication the same as MFA?
No. MFA is the security method used to verify a user's identity. Step-up Authentication is the additional verification prompt that appears before certain sensitive actions. It uses the user's available MFA methods to confirm their identity again before the action continues.
For a full overview of available MFA options, see Multi-Factor Authentication - Everything you need to know.
Will users need to verify every time they complete a protected action?
No. After successful verification, users generally remain trusted for up to 8 hours. During that period, they may not be prompted again for additional protected actions in the same workflow.
Can Step-up Authentication be disabled?
No. Step-up Authentication is a security layer applied automatically to protected actions. It cannot be disabled per user, per property, or per action.
Does Step-up Authentication affect guests?
No. Step-up Authentication applies to staff users completing protected actions inside Cloudbeds. Guests using guest-facing tools, such as the Booking Engine, are not asked to complete this staff verification step.
What should users do if their verification method is unavailable?
Users should contact a property owner, manager, or admin with user-management access. If the user is locked out or cannot complete verification, an authorized manager may need to reset the user's MFA status.
For instructions, see Reset Multi-Factor Authentication. Staff users can also review Locked Out? How to Get Back In (Staff Guide) for guidance on who to contact and what information to provide.
Why does the prompt appear again after I already verified?
This can happen when the 8-hour trust window expires, the browser session is reset, cookies are cleared, the user switches networks, a VPN changes the IP address, or the user is working in a private/incognito browser window.
Where Step-up Authentication is currently used in Cloudbeds
Step-up Authentication is currently used for selected sensitive actions across different Cloudbeds areas. The protected actions may vary depending on the product area and the user's access.
Guest Experience (GX)
In Guest Experience, Step-up Authentication helps protect sensitive actions related to guest messaging, campaigns, approved links, guest portal settings, phone numbers, custom email domains, automations, auto-messages, and boosting credits.
Learn more: Step-up Authentication in Guest Experience (GX)
Reservation Exports
Reservation exports may include sensitive guest and operational information. Step-up Authentication helps confirm the user's identity before the export is generated.
Learn more: Step-up Authentication for Reservation Exports
Booking Engine custom HTML and JavaScript fields
Booking Engine custom code fields can affect the guest-facing booking experience. Step-up Authentication helps protect specific custom HTML and JavaScript fields from unauthorized changes.
Learn more: Step-up MFA for Booking Engine Custom HTML and JavaScript Fields
Comments
Please sign in to leave a comment.