Two-factor authentication (2FA) adds an extra layer of security to your admin user accounts.
Reduce the risk of internal/external fraud, identity theft, and protect your business from attacks that may compromise your data by enabling two-factor authentication.
Two-factor authentication for admin users
Two-factor authentication can be enabled for admin users (including primary admins).
The admin user level is intended for the store owner or the head office account. As an admin user, the user will have full access to view and edit all stores within your account. This means if an admin user becomes compromised, all data within the store can be accessed and altered.
When enabled, two-factor authentication will require the admin user to input their existing password and a one-time password (OTP) generated by an authorized third-party authentication application.
This is intended to reduce the risk of internal/external fraud, identity theft, and protect your business from attacks that may compromise your data.
As cashier and manager user roles do not have the same level of access that an admin user role has, two-factor authentication is not available for cashier and manager user roles.
For further information on user roles and permissions, click here
Important
Starting April 30th, 2021, it is mandatory for all Australia-based Retail POS retailers integrated with Xero to use two-factor authentication for admin users (including the primary admin) in order to comply with Xero's new global security standards.
Two-factor authentication cannot be disabled for these admin users (including the primary admin). Cashier and manager user roles do not require the use of two-factor authentication.
Setting up two-factor authentication
1. Log into your Retail POS store with the admin account you wish to enable two-factor authentication on and navigate to Setup > Users
Note
Two-factor authentication can only be set up on the admin user currently logged in. The primary user cannot set up two-factor authentication on behalf of another admin.
To change users, click the username located at the top right of your screen, select Switch user, and log in as the user that requires the two-factor authentication setup.
2. Select the admin user you are logged in as
3. Scroll to Security and ID
4. Under Two-factor authentication, click Set up two-factor authentication
5. Click Get started
6. Enter the account password
7. Click Next
8. Download an authentication app onto a designated device, such as a phone. We recommend using Twilio Authy, Google Authenticator, or Microsoft Authenticator.
9. Scan the QR code displayed with your chosen authentication app, or click enter this text code instead and enter the code displayed into the authentication
10. Click Next
11. Enter the code displayed on the authentication app into Retail POS
12. Click Confirm
13. Save the account recovery codes by clicking Copy to clipboard and pasting into a secure location, or clicking Download to save a .txt file
Important
Recovery codes are the primary resource for account recovery should an account holder lose access to their authorized device or access to the authentication app.
Ensure these are saved in a secure location that can be accessed by only the account holder when required.
14. Once you've made your selection, click Thanks, I'm done to finish
Logging into Retail POS with two-factor authentication
1. Go to the Sign In page
2. Enter your store URL
3. Click Next
4. Enter your username and password
5. Click Sign in
6. Open the authentication app on your designated device and enter the code displayed to the Enter your authentication code page on Retail POS
Tip
To have Retail POS remember your two-factor authentication on the device you're logging in on for 30 days, select the Remember me on this device for 30 days checkbox before entering the authentication code.
You will still need to enter your username and password from step 4 when logging back in. After the 30 day period has expired, you will need to enter an authentication code again.
7. When entered correctly, you will be automatically signed into your account.
Important
If you have lost your designated device and/or can no longer access the authentication app registered to your Retail POS account, you will need to complete an account recovery.
Refer to the account recovery with two-factor authentication section below
Account recovery with two-factor authentication
Recovery codes
The first avenue for recovering an account with two-factor authentication enabled is using the recovery codes you saved during the setup process.
There are 12 codes in total and each can be used once. This means that when a code is used, it will no longer be valid and you'll need to use another code on the list next time.
1. Go to the Sign in page and input your store URL, username, and password.
2. On the Enter your authentication code page, click I can't access my authenticator app.
3. Paste an unused recovery code into the recovery code data field and click Sign in
4. Proceed to reset your two-factor authentication (see dropdown below)
Two-factor authentication reset
For Retail POS stores with multiple admin accounts (in addition to the primary admin account), the primary admin account holder should be contacted to perform a two-factor authentication reset.
Admin accounts can also reset two-factor authentication on other Admin accounts, but not primary admin accounts.
Refer to the steps in the resetting/removing two-factor authentication dropdown below.
Contact support
In the instance where access to a primary admin account needs to be recovered and recovery codes are not available, the primary admin account holder can contact Support to assist.
Contact must be made using the registered primary admin email address. Please note that our Support team cannot proceed with an account recovery request that has not been approved using the primary admin account registered email address.
Resetting/removing Two-factor authentication
Reset Two-factor authentication
To reset two-factor authentication after recovering an account, follow the steps below:
1. Navigate to Setup > Users
2. Select the admin account you wish to reset two-factor authentication for
3. Scroll to Security and ID
4. Under two-factor authentication is set up, click Reset two-factor authentication Setup
5. Click Get started
6. Enter the account password
7. Click Next
9. Open your authentication app and scan the QR code displayed
10. Click Next
11. Enter the code displayed on the authentication app into Retail POS
12. Click Confirm
13. Save the new account recovery codes by clicking Copy to clipboard and pasting into a secure location, or clicking Download to save a .txt file
14. Once you've made your selection, click Thanks, I'm done to finish
Remove Two-factor authentication
Important
Starting April 30th, 2021, it is mandatory for all Australia-based Retail POS retailers integrated with Xero to use two-factor authentication for admin users (including the primary admin) in order to comply with Xero's new global security standards.
Two-factor authentication cannot be disabled for admin users. Cashier and manager user roles do not require the use of two-factor authentication
For further information on user roles and permissions, click here
1. Navigate to Setup > Users
2. Select the admin account you wish to remove two-factor authentication for
3. Scroll to Security and ID
4. Under two-factor authentication is set up, click Remove two-factor authentication
5. Click Next
6. Enter the account password
7. Click Remove two-factor authentication
Troubleshooting Two-factor authentication
"Invalid authentication code entered. Please try again."
The code being entered during the Enter your authentication code stage of logging in is not being recognized by Retail POS and therefore not accepted.
Solution one
On the authentication app, wait until the authentication code has timed out and a new code is generated. Input the new code to pass the Enter your authentication code stage.
Solution two
If solution one is not successful after multiple tries, it may be because the timing sync between your authentication app and Retail POS is incorrect.
To solve this, navigate to your date and time settings on your authentication device. Set the date and time to an Automatic or Network setting.
Google Authenticator:
-
On an Android device, go to the main menu of the Google Authenticator app.
-
Tap the 3 dots
-
Tap Settings
-
Tap Time correction for codes
-
Tap Sync now.
On the next screen, the Google Authenticator will confirm the time has been synced. You should be able to sign in.
The sync will only affect the internal time of your Google Authenticator app, and will not change your device’s Date & Time settings.
Unable to change users and/or "Looks like we're having some server issues" page
For user accounts that have not logged in since two-factor authentication was released, old versions of the Retail POS login page may be saved in your browsers' cache and may cause issues connecting to the two-factor authentication page.
To fix this, navigate to your browsers' cache settings and clear the cache.
Google Chrome:
- Open Chrome
- At the top right, click More/the 3 dots
- Click More tools then Clear browsing data
- In the Time Range dropdown, select All time
- Ensure the Cookies and other site data and Cached images and files checkboxes are select
- Click Clear data
Once the cache has been cleared, navigate back to the Sign in page and log in as per usual.
Important
Starting April 30th, 2021, it is mandatory for all Australia-based Retail POS retailers integrated with Xero to use two-factor authentication for admin users (including the primary admin) in order to comply with Xero's new global security standards.
Two-factor authentication cannot be disabled for admin users. Cashier and manager user roles do not require the use of two-factor authentication
For further information on user roles and permissions, refer to our Setting User Roles and Permissions in Retail POS (X-Series) guide.