Two-Factor Authentication (2FA) in Vend

Screen_Shot_2021-03-31_at_3.37.34_PM.png

Two-Factor Authentication (2FA) adds an extra layer of security to your Admin user accounts.

Reduce the risk of internal/external fraud, identity theft, and protect your business from attacks that may compromise your data by enabling Two-Factor Authentication now.

Two-Factor Authentication for Admin users

Two-Factor Authentication can be enabled for Admin users (including Primary Admins).

Screen_Shot_2021-04-09_at_2.47.59_PM.png

The Admin user level is intended for the store owner or the head office account. As an Admin user, the user will have full access to view and edit all stores within your account. This means if an Admin user becomes compromised, all data within the store can be accessed and altered.

When enabled, Two-Factor Authentication will require the Admin user to input their existing password and a One Time Password (OTP) generated via an authorised third party authentication application.

This works to reduce the risk of internal/external fraud, identity theft, and protect your business from attacks that may compromise your data.

As Cashier and Manager user roles do not have the same level of access that an Admin user does, Two-Factor Authentication is not available for Cashier and Manager user roles.

For further information on User Roles and Permissions in Vend, click here

  Important

From 30 April 2021, it is mandatory for all Australia-based Vend retailers integrated with Xero to use Two-Factor Authentication for Admin users (including the Primary Admin) in order to comply with Xero's new global security standards.

Two-Factor Authentication cannot be disabled for these Admin users (including the Primary Admin). Cashier and Manager user roles do NOT require the use of Two-Factor Authentication.

Setting up Two-Factor Authentication in Vend

1. Log into your Vend store with the Admin account you wish to enable Two-Factor Authentication on and navigate to Setup -> Users

  Note

Two-Factor Authentication can only be setup on the Admin user currently logged in. The Primary cannot setup Two-Factor Authentication on behalf of another admin.

To change users, click the username in the top right, select Switch User and log in as the user that requires Two-Factor Authentication setup.

2. Select the Admin user you are logged in as

Screen_Shot_2021-03-31_at_9.07.09_AM.png

3. Scroll to Security and ID

4. Under TWO-FACTOR AUTHENTICATION, click Set up Two-factor Authentication

Screen_Shot_2021-03-31_at_9.07.22_AM.png

5. Click Get Started

Screen_Shot_2021-03-31_at_9.07.47_AM.png

6. Enter the account password

7. Click Next

Screen_Shot_2021-03-31_at_9.07.59_AM.png

8. Download an authentication app onto a designated device, such as a phone. We recommend using Twilio Authy, Google Authenticator, or Microsoft Authenticator.

9. Scan the QR code displayed with your chosen authentication app, or click enter this text code instead and enter the code displayed into the authentication

10. Click Next

Screen_Shot_2021-03-31_at_9.13.35_AM.png

11. Enter the code displayed on the authentication app into Vend

12. Click Confirm

Screen_Shot_2021-03-31_at_9.11.52_AM.png

13. Save the account recovery codes by clicking Copy to Clipboard and pasting into a secure location, or clicking Download to save a .txt file

  Important

Recovery Codes are the primary resource for account recovery should an account holder lose access to their authorised device or access to the authentication app.

Ensure these are saved in a secure location that can be accessed by only the account holder when required.

14. Once you've made your selection, click Thanks, I'm done to finish

Logging into Vend with Two-Factor Authentication

1. Go to https://secure.vendhq.com

Screen_Shot_2021-03-31_at_1.24.13_PM.png

2. Enter you Store URL

3. Click Next

Screen_Shot_2021-03-31_at_1.24.24_PM.png

4. Enter your Username and Password

5. Click Sign In

Screen_Shot_2021-05-20_at_10.00.41_AM.png

6. Open the authentication app on your designated device and enter the code displayed to the Enter your authentication code page on Vend

  Tip

To have Vend remember your Two-Factor Authentication on the device you're logging in on for 30 days, select the Remember me on this device for 30 days checkbox before entering the authentication code.

You will still need to enter your Username and Password from Step 4 when logging back in. After the 30 day period has expired, you will need to enter an authentication code again.

Screen_Shot_2021-05-20_at_10.00.44_AM.png

7. When entered correctly, you will be automatically signed into your account. 

  Important

If you have lost your designated device and/or can no longer access the authentication app registered to your Vend account, you will need to complete an account recovery.

Refer to the Account recovery with Two-Factor Authentication section below

Account recovery with Two-Factor Authentication

Recovery Codes

The first avenue for recovering an account with Two-Factor Authentication enabled is using the Recovery Codes you saved during the set up process.

There are 12 codes in total and each can be used ONCE. This means that when a code is used, it will no longer be valid and you'll need to use another code on the list next time.

Screen_Shot_2021-03-31_at_1.24.24_PM.png

1. Go to https://secure.vendhq.com and input your Store URL, Username and Password

Screen_Shot_2021-03-31_at_11.08.42_AM.png

2. On the Enter your authentication code page, click I can't access my authenticator app.

3. Paste an unused Recovery Code into to the Recovery Code data field and click Sign In

4. Proceed to resetting Two-Factor Authentication (see dropdown below)

Two-Factor Authentication reset

For Vend stores with multiple Admin accounts (in addition to the Primary Admin account), the Primary Admin account holder should be contacted to perform a Two-Factor Authentication reset.

Screen_Shot_2021-03-31_at_2.45.34_PM.png

Admin accounts can also reset Two-Factor Authentication on other Admin accounts, but not Primary Admin accounts.

Refer to the steps in the Resetting/removing Two-Factor Authentication dropdown below.

Contact support

In the instance where access to a Primary Admin account needs to be recovered and Recovery Codes are not available, the Primary Admin account holder can contact Support to assist.

Screen_Shot_2021-03-31_at_2.42.55_PM.png

Contact must be made using the registered Primary Admin email address. Please note that Support CANNOT proceed with an account recovery request that has not been approved using the Primary Admin account registered email address.

Resetting/removing Two-Factor Authentication

Reset Two-Factor Authentication

To reset Two-Factor Authentication after recovering an account, follow the steps below:

1. Navigate to Setup -> Users

2. Select the Admin account you wish to reset Two-Factor Authentication for

Screen_Shot_2021-03-31_at_2.50.40_PM.png

3. Scroll to Security and ID

4. Under TWO-FACTOR AUTHENTICATION IS SET UP, click Reset Two-factor Authentication Setup

Screen_Shot_2021-03-31_at_9.07.22_AM.png

5. Click Get Started

Screen_Shot_2021-03-31_at_9.07.47_AM.png

6. Enter the account password

7. Click Next

Screen_Shot_2021-03-31_at_9.07.59_AM.png

9. Open your authentication app and scan the QR code displayed

10. Click Next

Screen_Shot_2021-03-31_at_9.13.35_AM.png

11. Enter the code displayed on the authentication app into Vend

12. Click Confirm

Screen_Shot_2021-03-31_at_9.11.52_AM.png

13. Save the new account recovery codes by clicking Copy to Clipboard and pasting into a secure location, or clicking Download to save a .txt file

14. Once you've made your selection, click Thanks, I'm done to finish

Remove Two-Factor Authentication

  Important

From 30 April 2021, it is mandatory for all Australia-based Vend retailers integrated with Xero to use Two-Factor Authentication for Admin users (including the Primary Admin) in order to comply with Xero's new global security standards.

Two-Factor Authentication cannot be disabled for Admin users. Cashier and Manager user roles do NOT require the use of Two-Factor Authentication

For further information on User Roles and Permissions in Vend, click here

1. Navigate to Setup -> Users

2. Select the Admin account you wish to remove Two-Factor Authentication for

Screen_Shot_2021-03-31_at_2.50.40_PM.png

3. Scroll to Security and ID

4. Under TWO-FACTOR AUTHENTICATION IS SET UP, click Remove Two-factor Authentication

Screen_Shot_2021-03-31_at_2.54.21_PM.png

5. Click Next

Screen_Shot_2021-03-31_at_2.54.27_PM.png

6. Enter the account Password

7. Click Remove Two-factor Authentication

Troubleshooting Two-Factor Authentication

"Invalid authentication code entered. Please try again."

The code being entered during the Enter your authentication code stage of logging in is not being recognised by Vend and therefore not accepted.

Solution one

On the authentication app, wait until the authentication code has timed out and a new code is generate. Input the new code to pass the Enter your authentication code stage.

Solution two

If solution one is not successful after multiple tries, it may be because the timing sync between your authentication app and Vend is incorrect.

To solve this, navigate to your date and time settings on your authentication device. Set the date and time to an Automatic or Network setting. 

Google Authenticator:

  1. On an Android device, go to the main menu of the Google Authenticator app.

  2. Tap the 3 dots More

  3. Tap Settings

  4. Tap Time correction for codes

  5. Tap Sync now.

On the next screen, the Google Authenticator will confirm the time has been synced. You should be able to sign in.

The sync will only affect the internal time of your Google Authenticator app, and will not change your device’s Date & Time settings.

Unable to change users and/or "Looks like we're having some server issues" page

For user accounts that have not logged in since Two-Factor Authentication was released, old versions of the Vend login page may be saved in your browsers cache and causing issues connecting to the Two-Factor Authentication page.

To fix this, navigate to your browsers cache settings and clear the cache.

Google Chrome:

  1. Open Chrome
  2. At the top right, click More/the 3 dots
  3. Click More Tools then Clear Browsing Data
  4. In the Time Range dropdown, select All Time
  5. Ensure the Cookies and other site data and Cached images and files checkboxes are select
  6. Click Clear data

Once the cache has been cleared, navigate back to vendhq.com and login as per usual.

  Important

From 30 April 2021, it is mandatory for all Australia-based Vend retailers integrated with Xero to use Two-Factor Authentication for Admin users (including the Primary Admin) in order to comply with Xero's new global security standards.

Two-Factor Authentication cannot be disabled for Admin users. Cashier and Manager user roles do NOT require the use of Two-Factor Authentication

For further information on User Roles and Permissions in Vend, click here

Did this answer your question?
Have more questions? Contact us so that we can help you out.