Clock PMS+ has been designed with strong security measures in mind to prevent the unauthorized access to your critical data and operations.
Network security
Allows you to control from which networks the user can access Clock PMS+. The settings are located in menu Settings->All Settings->Network security. Here you can enable or disable the following options:
- Trusted Networks. Users in Clock PMS+ can be split into 2 groups - users with access to the system from anywhere and those who can access the system from a specified list of IP addresses and networks, e.g. your hotel network (more details can found in the Users article).
- Blacklist Networks. Use this option for instant unconditional denial of access to your subscription from a certain IP address or network. The restriction affects all accounts in the subscription. This feature should be used with extreme caution to avoid restricting your own access. If this happens, the subscription owner can disable the 'Blacklist networks' rules though the 'I have lost my password' link on the login screen.
Multi-Factor Authentication (MFA)
The MFA principle is the following: to access your account, you'll need to combine what you know (username and password) and what you possess (smartphone and the one-time password generated on it). Each 6-digit password from the application is active for 60 seconds.
The features that will require you to have enabled MFA for your user are as follows:
- Full access to credit card details. The use of tokenized cards does not fall in this category. The review of the full credit card number and the CVV code, however, will require you to have enabled MFA for your user.
- Creation and edit of users and user groups.
- Settings of payment providers.
- Change of the account owner's email and the email of the hotel.
To activate the MFA access for your user:
- Install a two-factor authentication application:
- The Google Authenticator application on your smartphone (available for free from the AppStore and Google Play);
- A Google Chrome extension / a similar extension for other browsers;
- An application on your computer like Authy (available for Linux, macOS, and Windows);
- Log in to the system with the user for which the MFA is to be activated
- Go to the Navigation menu -> Settings -> Users
- Chose the 'Activate MFA' from the upper part of the screen
- Follow the instructions. The QR code might take up to 1 minute to load
Removal of the MFA access
In order to remove the MFA you need to have the 'Users: Create and Edit' right granted and an active MFA.
It will allow you to access the list of the users and select "Remove MFA' from the drop-menu next to the respective user.
Automatic User Locking
After 6 unsuccessful login attempts, the user account is automatically locked for a period of 30 minutes. A notification email is also sent with the following subject: "[CLOCK PMS SECURITY] Too many login errors detected. The user is locked" to the hotel email address.
If you happen to lock your account, you can contact a user with the 'Users: Create and Edit' right granted and ask the same to edit your user and click on the 'Unlock user' button.