Two-factor authentication for Smartsite Manager

Smartsite 7.10 - ...

Access to the Smartsite manager can be secured more fully using two-factor authentication. In this process, the user is sent an access code. Smartsite 7.10 ships with two built-in providers:

  • EmailTwoFactorProvider
  • SmsTwoFactorProvider

Enable two-factor authentication by adding the application setting 

<add key="security.twofactor.provider" value="Smartsite.Manager.{providerName}, Smartsite.Manager" />

to the WWWMgr web.config.

Email

Sends an email to the user attempting to log in through the standard configured SMTP server, from the configured DefaultSenderAddress. The subject and message body are read from the localized string resources "LOGIN_2_FACTOR_EMAIL_SUBJECT" and "LOGIN_2_FACTOR_EMAIL_BODY". These can be overriden as needed through the Localization Strings manager action. The body text supports the placeholders {confirmationcode}, {username} and {sitename}.

Note that users who do not have an email address configured will no longer be able to log in to the Smartsite manager.

SMS text message

Sends an sms text message through MessageBird.com, which requires an account. The account is selected through the application setting "security.twofactor.sms.senderaddress". The message text is read from the localized string resource "LOGIN_2_FACTOR_SMS_MESSAGE". The message text supports the placeholders {confirmationcode} and {sitename}.

Note that users who do not have a PhoneMobile configured will no longer be able to log in to the Smartsite manager.

Publication

Two-factor is only available in the manager. Users can sign in to the publication using only username and password. To prevent users from accessing the manager without two-factor authentication change the name attribute of the authentication in the web.config:

XML CopyCode image Copy Code
<authentication mode="Forms">
    <forms loginUrl="~/Account/Login.aspx" timeout="2880" name="SmartsiteMgr" />
</authentication>

If the names in the configs of WWW and WWWMgr match, users will only have to sign in once. Note that this works both ways: users signed in to the manager are not automatically signed in to the publication.