Access the Commerce administration interface

All users who work in the administration interface must have an internal user profile and must understand how to log into the administration interface.

This section applies to Open Storefront Framework (OSF) and Storefront Classic.

This section describes the tasks required to prepare your profile and access the administration interface:

• Understand multi-factor authentication

• Prepare to use multi-factor authentication

• Download Oracle Mobile Authenticator

• Add your Commerce profile to Oracle Mobile Authenticator

• Create your password

• Log into the Commerce administration interface

Understand multi-factor authentication

Multi-factor authentication is an authentication mechanism that requires a user to present at least two of the following three types of credentials when logging into an account:

• Something you know, like a password.
• Something you have, like a smart card or a one-time passcode.
• Something you are, like your fingerprint.

The Payment Card Industry Data Security Standard (PCI DSS) requires multi-factor authentication for any user who accesses an administrative environment that handles card data. Multi-factor authentication helps keep intruders out by providing an extra layer of security when users require access to environments that contain sensitive information.

Commerce implements this requirement by ensuring that each internal user enters their username and password, plus a one-time passcode (generated by Oracle Mobile Authenticator) every time they log into the administration interface.

Prepare to use multi-factor authentication

You will receive an automatically-generated email that contains the information you need to perform the steps to set up multi-factor authentication.

• If you are a new Commerce user, you will receive an automatically-generated email whose subject line is Set Up Your Oracle Commerce Login once a Commerce administrator has created your profile.
• If you are an existing Commerce user, you will receive an automatically-generated email with the subject line Your Oracle Commerce Secret Key Reset once your site has been updated to a release of Commerce that requires multi-factor authentication.

Your email contains the information you need to perform the following steps:

1. Download Oracle Mobile Authenticator to your iOS, Android, or Windows device.
2. Add your Commerce profile to Oracle Mobile Authenticator using the secret key in the email.
3. Create your password for your Commerce profile.
4. Log into the Commerce administration interface with your username, password, and a one-time passcode generated by Mobile Authenticator.

Keep the following information about the email in mind:

• You will receive a separate email for each of your environments and must follow this procedure for each one. For example, if you have three environments, you will need to follow the procedure three times – once for each environment – in order to access the administration interface in each environment.
• If you did not receive the automated email, check your spam or junk mail folder.

Download Oracle Mobile Authenticator

Oracle Mobile Authenticator (OMA) is a free app that generates the one-time passcodes (unique, random numbers) you enter each time you log into the Commerce administration interface. OMA does not require cell service or an internet connection to generate one-time passcodes.

OMA is available for Android, iOS, and Windows devices, including PCs running Windows 8.1+. The iOS app is available at the Apple app store, the Android app is available at the Google Play store, and the Windows app is available at the Microsoft store, all under the name Oracle Mobile Authenticator. Visit the appropriate app store for your device to learn about system requirements and download the app.

Download OMA to your device, launch it, and accept the end user license agreement. Then follow the instructions in Add your Commerce profile to Oracle Mobile Authenticator to link your Commerce profile to OMA.

Add your Commerce profile to Oracle Mobile Authenticator

After you install the Oracle Mobile Authenticator (OMA), you need to link it to your Commerce profile. You do this by adding your profile’s secret key to OMA. Make sure you have the email you received when your profile was created; it contains everything you need to access the Authenticator Details page, where you add your profile to OMA in one of the following ways:

Scan the QR code

Click the Create an OMA Entry link

Enter the key manually

Scan the QR code

If you are viewing the email on a device where OMA is not installed, like your computer, you can open OMA on your mobile device and scan the QR code that you access from the email. If you are unable to successfully scan the code, see Click the Create an OMA Entry link or Enter the key manually for alternate ways to add your profile to OMA.

1. Open the OMA app on your mobile device, then tap Add Account.
2. Open the Set Up Your Oracle Commerce Login email and click the Oracle Mobile Authenticator Setup link to open the Authenticator Details page.
3. Scan the QR code that appears on the page using your device’s camera.

   Depending on your mobile device’s security settings, you may be prompted to enter your user name and password.

   After configuration is complete, the passcode generator screen begins displaying one-time passcodes.

If you scan an expired QR code, Commerce displays an error page. Contact your Commerce administrator, who can reset the secret key. Once the key is reset, you will receive another email.

Now you can continue to the steps in the next section, Create your password.

Click the Create an OMA Entry link

If you are viewing the Commerce email on the same device where OMA is installed, you can simply click an enrollment link that opens the OMA app on your device and starts the configuration process.

1. Open the Set Up Your Oracle Commerce Login email on the device where OMA is installed and tap the Oracle Mobile Authenticator Setup link to open the Authenticator Details page.
2. Tap the Oracle Commerce link.

   Depending on your mobile device’s security settings, you may be prompted to enter your user name and password.

   After configuration is complete, the passcode generator screen begins displaying one-time passcodes.

If you click an expired link, Commerce displays an error page. Contact your Commerce administrator, who can reset the secret key. Once the key is reset, you will receive another email.

Now you can continue to the steps in the next section, Create your password.

Enter the key manually

You can manually type or cut and paste the secret key into OMA.

To see the secret key, open the Set Up Your Oracle Commerce Login email and click the Oracle Mobile Authenticator Setup link to open the Authenticator Details page. The secret key is displayed at the bottom of the page.

To enter the secret key into OMA:

1. Open the OMA app on your device, then tap Add Account.

   Depending on your mobile device’s security settings, you may be prompted to enter your user name and password.

2. Tap Enter key manually.
3. Under Select Account Type, tap Oracle.
4. In the Account field, enter Commerce.
5. In the Key field, enter the secret key.
6. Tap Save.

   After configuration is complete, the passcode generator screen begins displaying one-time passcodes.

Create your password

Administrators do not assign login passwords to new user profiles. To create a password for your new profile, open the Set Up Your Oracle Commerce Login email and click the Create Password link. (If the link has expired when you click it, Commerce displays a page where you can request a new link. You will need to supply a one-time passcode when you reset your password. See Log into the Commerce administration interface for more information.)

Your password must be at least eight characters long and contain at least one number, one uppercase letter, and one lowercase letter. It cannot contain your email address. The password is also checked against a list of weak passwords that Commerce maintains. If you try to create a password that matches one of the entries in this dictionary, the password is rejected.

Now you can log into Commerce. See Log into the Commerce administration interface for details.

Log into the Commerce administration interface

Once you have linked your Commerce profile to Oracle Mobile Authenticator (OMA) and created your password, you are ready to log into the administration interface.

Important: You must generate a new one-time passcode each time you log into the administration interface. This includes logging back in if you have been automatically logged out. Commerce does not currently mark a device as safe or save passcodes across sessions.

To log into the administration interface, follow these steps:

1. Navigate to the Commerce sign in page with the URL provided to you by your administrator.
2. Enter your username and password.
3. Launch the OMA app on the device where you installed it.

   A one-time passcode appears and the countdown begins until a new passcode is automatically generated.

4. On the Commerce sign in page, enter the code into the One-Time Passcode box and click Log In.