User Authentication
Always use unified authentication in Salesforce B2C Commerce if you are an administrator. Traditionally, we always used local user authentication, but a local user can perform only a local login into the Business Manager instance on which their credentials were created. After a site migrates to unified authentication, the site requires unified authentication on Account Manager, where a user can perform a global login into any Business Manager instance in their organization.
Local Authentication
For local user authentication, an admin, or an existing user with appropriate permissions, provisions a new user in Business Manager, and the userβs credentials are stored on the Business Manager instance. If you want a user to log in to several instances, you must create an account for them on each instance. The primary security controls relate to user password policy and login lockout policy. These settings have reasonable default values that you can modify depending on your policy requirements.
To enhance security, increase password length from eight characters (default) to 12 characters. Note that customer lists configured prior to Release 17.5 will need to be updated.
Unified Authentication
Unified user authentication is where all the Business Manager users in a multi-site organization are managed in Account Manager. Users must use their Account Manager credentials to log in to Business Manager. All user-related actions are performed in Account Manager, including password changes and resets. The corresponding Business Manager settings are ignored during these processes.
The primary security controls are the user password, login, and lockout policies. You can modify the default values depending on your policy requirements. Unlike with Business Manager, Account Manager uses two-factor authentication (2FA). This significantly improves security because an attacker must now have access to the password and the userβs 2FA application to gain access.