This article will cover:
- Multi-factor Authentication (MFA)
- System Login Security Settings
- IP Address Whitelisting for System Logins
- IP Address Whitelisting for API
- API Key Access
- New Device/IP Login Alert
Multi-factor Authentication (MFA)
Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring a two-step login process. In CAKE, the first step is the username and password, and the second step is the unique Time-based One-time password (TOTP) sent by CAKE to an authenticator app (e.g. Google Authenticator or Microsoft Authenticator) on the user's smartphone. MFA can only be enabled for employees of the company licensing CAKE, not for partners (Affiliates, Buyers, etc).
To enable multi-factor authentication in CAKE, refer to our help article.
System Login Security Settings
CAKE provides a number of security settings available to manage the ability to log in to your system. Below are the settings you can configure and our best practice defaults that come enabled in all CAKE systems.
Failed Login Attempts: 5 attempts
Admin Portal Session Timeout: 60 minutes
Password Strength: Strong
Password Usage History Restriction: 10 passwords
Password Expiration Policy: 90 days
To edit the system login security settings, refer to our help article.
IP Address Whitelisting for System Logins
CAKE provides the ability to whitelist office IP addresses so that your CAKE System can only be accessed from a list of approved IP addresses. When adding an IP Whitelist for system logins, any users currently logged in from non-whitelisted IP’s will be logged out and unable to log in again.
For more information on how to configure a whitelist of login IP addresses, refer to our help article.
IP Address Whitelisting for API
Similar to the IP whitelisting for system logins, CAKE also provides an IP address whitelist option for API access. If you know the IP address of the server that will be making API calls to CAKE, you can add the address to the IP Whitelist in CAKE. CAKE will ignore any API calls made from IP addresses not listed on your whitelist.
For more information on how to add an IP Whitelist for your API, refer to our help article.
API Key Access
For additional security around API access, CAKE hides API keys in the UI, requiring users to click a “show” button to view and pull the API key. API keys are used to authenticate API requests and should be treated like passwords. This functionality provides a detailed log of API key access and time stamps. API Keys are found in the System Access section of the Security Settings which is a permissions-based section.
New Device/IP Login Alert
In order to ensure secure logins to your CAKE Admin portal, CAKE now triggers an alert for admin users that will notify them anytime the login device or location is different from the previous login attributes.
For information on subscribing to Alerts in CAKE, refer to our help article.