Login with PIN
Our applications support logins using a personal identification number (PIN). The following settings can tweak the behavior of this type of login:
|Set to true to enable PIN logins
|Length of the PIN codes (5 digits minimum)
|Expiration time for PIN codes in hours
|The type of 2FA bound to the PIN login (see below)
Since these identification PINs on their own are not super-secure, we run a second authentication factor (2FA) behind the scenes. We currently support two different methods:
- Through IP-address (default)
- Using a device-bound secure token
Login with PIN in the Checkout App
Once you've enabled PIN logins, you can decide whether to set a PIN.
If you skipped the PIN setup modal at first, use the setting
App:Login:ReentryPrompt, to determine when the modal will appear again.
|The PIN setup modal will never be shown. If not set, it defaults to 0
|The modal will be shown every time the Checkout App restarts
|The modal will be shown once a day
Authentication through IP-address
By default, we use the IP-address of the store to verify that a PIN login comes from that actual store. This is a physical 2FA, because you have to be connected to the store's network, which limits the range of attack.
At first (because you have no PIN yet), you log in with your e-mail and password, after which you can set your PIN code. It will be attached to the IP-address of the store, so when logging in to any (other) device in that same network, you can use your PIN to log in faster. EVA will check the IP-address and PIN code and grant you access if valid.
This method only works if your stores have a static IP-address (it needs to be configured on the OU in Admin Suite).
Device-bound secure token
EVA has its roots in the Netherlands, where static IP-addresses and a rock-solid connection are common practice. However, this is not the case all around the world, which kind of screws up our default method. So, we introduced an additional method to tackle this issue.
This method involves a secure token, which EVA will return to you when you log in with your e-mail and password.
So you first log in to the app with your e-mail and password. When doing so, EVA logs you in, and gives you a secure token. This secure token binds the device with the store, and is stored locally on the device. With this token, you are allowed PIN logins to that particular store by that particular device, until it expires.
By default, the token expires after 7 days. However, every successful login yields a new secure token, so even minimal use of the app would prevent the device from ever being 'detached' from the store.
This method has its limitations, as these secure tokens are generated for a specific device, and are stored locally on this device.
- Before you can log in with PIN on a particular device, that device needs to have a secure token, and thus would have to be logged in to (once) using e-mail and password.
- Taking the device outside the store would still allow logging in with a PIN to the store it was originally bound to. Using e-mail and password to login would generate a new secure token, attaching the device to the new store you would then be logged in to.
Configuring PIN methods
We have a setting called
LoginWithIdentificationPin:Method that can be used to set your desired method of the ones mentioned above.
Add up these values to support multiple authentication methods, so a value of 3 would mean we allow both 1 IP-address (in case your IP matches the one of the store) and 2 the secure token (in case it doesn't). This would probably be the preferred configuration when dealing with switchy IP-addresses!
|IP method (default)
|Secure token method
|No security, just log in to the organization unit you specify in your request. This is not safe at all, and only works in TEST environments.
The PIN you have configured will work across devices and even across different apps.
Create your PIN on the Companion and feel free to use this same PIN to then log in to our POS. You can even use the same PIN -created with an IP-address as part of 2FA- on another device with a secure device token if your Internet goes wonky for example.
(Just note that when using the secure token method, the device you log in to should have logged in to that store using e-mail and password at least once.)
After selecting the correct store to log in to, it's possible to immediately select a station as well. This functionality can be configured in the Admin Suite using the following setting:
App:ShowStationSelectorOnLogin. This setting can be set to either true or false; default is false. When set to true, after selecting an organization unit during the login flow, users will be prompted with a station selector.