Authentication and Security Options

Objective

After completing this lesson, you will be able to discover the types of authentication that will allow users to use your sites.

Authentication Security

Authentication Types

Authentication security is a critical aspect of managing user access to your sites. SAP Customer Data Cloud offers a range of authentication methods and security settings that can be configured to meet your specific needs. Let's explore these options in detail.

The Authentication Types page offers Password (pre-selected) Push Notification, FIDO Configuration, Email OTP, and Magic Link Configuration.

SAP Customer Data Cloud supports several authentication types, each with its own advantages and use cases:

  • Password Authentication – This is the most basic and universally supported method. Users authenticate by providing a username and password. Password authentication is always enabled.
  • Push Notifications – This method allows users to authenticate using a notification sent to their mobile phones. It provides a convenient and secure alternative to passwords.
  • FIDO Configuration – FIDO (Fast Identity Online) is a passwordless and phishing-resistant authentication method supported on mobile devices and desktop web browsers. It leverages biometric or hardware-based security keys for authentication.
  • Email OTP (One-Time Password) – This passwordless login method sends a one-time code to the user's email address on file. The user enters this code to log in.
  • Magic Link Configuration – Similar to Email OTP, Magic Link sends an HTML link to the user's email address. Clicking the link automatically logs the user into the site.

For more information, refer to the Authentication documentation in the SAP Help Portal.

Password Settings

Password security is essential for protecting user accounts. SAP Customer Data Cloud provides several settings to enforce strong password policies.

The Password Strength dialog allows you to define the minimum length for new passwords entered by the user, the minimum character groups, and a regular expression the password must satisfy. You may also require the password be changed after a certain number of days, and prevent the user from re-using recent passwords.

Password Strength

  • Min Length – Specifies the minimum number of characters required for a password.
  • Min Character Groups – Defines the number of different character groups (capital letters, lowercase letters, numbers, and special characters) that must be included in the password.
  • Regular Expression – Allows you to define a custom string pattern that passwords must match, providing an alternative or additional way to specify password strength.

Password Settings

  • Require Password Change After … days – You can configure the system to require users to change their passwords after a specified number of days.
  • Forbid Reusing Any of the Previous … passwords – This setting prevents users from reusing a specified number of their recent passwords.
  • Password Reset Token Expiration Time – Sets the time, in seconds, before a password reset token expires.

Verification Methods

Authentication levels are associated with each authentication method based on their degree of security. A higher authentication level signifies a higher level of trust. When defining rules, assign a higher required authentication level for more suspicious behavior.

Page section allowing to select Email Authorization (level 10), SMS/Phone or Authenticator APp (Level 20), or Push Notification (Level 30).

For more information, refer to Verification Methods documentation in the SAP Help Portal.

Email Verification

Email verification is a crucial step in ensuring the authenticity of user accounts.

Page fragment allow you to activate email verification. The options include requiring verification following a social login, using a code to verify, customizing the redirection URL, customizing the link expiration time, and automatically logging in users after verification.

SAP Customer Data Cloud offers the following email verification options:

  • Require account confirmation using a link or code sent over email: This option mandates that users verify their email address by clicking a link or entering a code sent to their email.
  • Verification link expiration time: Specifies the number of hours that verification emails are valid.
  • Automatically log in users upon email verification: When enabled, users are automatically logged in once their email address is verified. This requires a customized redirection URL (a landing page) on your site that contains the SAP Customer Data Cloud JavaScript library and fires the onLogin global event.

For more information, refer to the Email Verification documentation in the SAP Help Portal.

Account Verification and Double Opt-In

SAP Customer Data Cloud allows you to configure emails to be sent to confirm password resets and account deletions.

Page fragment allowing you to enable and edit the template of the Password reset and Account deletion confirmations, and to set the redirection URL, expired redirection URL, and the link expiration time, in hours.

Before automated emails can be enabled, templates must be defined for the relevant emails.

  • Password reset confirmation - When enabled, an email is sent after the user successfully resets their password.
  • Account deletion confirmation - When enabled, an email is sent after the user successfully deletes their account.

For more information, please refer to the Account Verification documentation in the SAP Help Portal.

Double Opt-In

For implementations that include Subscription Management and require double opt-in, you can customize redirection URLs, expired redirection URLs, and confirmation link expiration time.

Email and SMS Templates

Email and SMS Templates

SAP Customer Data Cloud provides customizable email and SMS templates for various user interactions:

Selecting the Email Verification template from the list of email templates, we see that the template exists in three languages, English, German, and French. English is the default, and it consists of HTML content.

Email templates are used for emails sent to users as part of their site journey. They are fully customizable, can be added in multiple languages, and are inherited by child sites from their parent sites when using site groups. Email templates are set up as HTML templates with placeholders and META tags.

Use the Email Templates page in the console to design templates. If you create multiple templates, you must select one of them as the default template.

The default template language is English, but you may select another language when you define a new template. Preview templates by clicking the eye icon on the right side of the template name.

SAP Customer Data Cloud checks the profile.locale property in the user’s account to decide what template language to use.

For more information, refer to the Email Templates documentation in the SAP Help Portal.

SMS Templates

SMS templates allow you to define text messages for SMS messages sent to users, ensuring compliance with different countries’ text messaging laws and regulations. You can design and customize messages in different languages based on country codes.

The SMS template used to send a verification code is available in multiple languages: in this example, there are localized strings for Arabic, Breton, Catalan, Czech, Danish, German, Greek, and English.

You can define different text templates for messages sent via the OTP (one-time password) and TFA (two-factor authentication) flows.

Country-Specific SMS Templates

You can define text templates for SMS messages in multiple languages per country code to comply with local legislation. When a country-specific template is defined, it overrides the global template.

After selecting a country, in this case Canada/USA, you can specify SMS templates unique to it, in this example a French version of the TFA SMS template.

The language of an SMS message is determined based on the following priorities:

For TFA SMS messages:

  • Language requested in the API call.
  • Language of the destination phone number set on the profile.locale on the user's account

For other SMS messages:

  • Language requested in the API call.
  • Default language for that country code.
  • English (if no languages are defined for the county code).

For more information, refer to SMS Templates in the SAP Help Portal.

Summary

  • SAP Customer Data Cloud supports various authentication types including traditional password authentication (always enabled), push notifications, FIDO passwordless authentication, Email OTP (one-time password), and Magic Link configuration for flexible user access.
  • Administrators can enforce strong password policies by setting minimum length requirements, character group diversity, custom regular expressions, mandatory password change intervals, prevention of password reuse, and configurable reset token expiration times.
  • Different authentication methods are assigned security levels based on their trustworthiness, allowing administrators to require higher authentication levels for suspicious behaviors and ensuring appropriate security measures.
  • The system can require account confirmation via email links or codes, with configurable expiration times for verification links, and offers automatic user login upon successful email verification with proper site configuration.
  • Automated confirmation emails can be sent for critical account actions like password resets and account deletions, with double opt-in support for subscription management implementations requiring additional user consent verification.
  • Fully customizable email and SMS templates support multiple languages, inherit from parent sites in site groups, and comply with country-specific regulations through locale-based template selection and country code-specific messaging configurations.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn