Security Update: SMS Password Reset and Mandatory MFA 2026/04/06
Protecting the sensitive data of children and participants is not optional — it is a responsibility. Two new security features make it easier to properly secure Bookacamp portals without sacrificing usability: the SMS password reset for customer and teamer portals, and mandatory Multi-Factor Authentication (MFA) for backoffice accounts.
SMS Password Reset: a safe way back into the portal
The classic "forgot password" flow is well known to be one of the most exploited attack vectors on the web: anyone who compromises a user's email inbox can reset passwords across all connected services. That is why Bookacamp deliberately does not offer a password reset link via email.
What's new is a secure alternative: when a customer or teamer portal user no longer knows their password, they can request a one-time code via SMS or voice call to their stored phone number. The process is straightforward:
- Click "Forgot password" on the login page
- Enter the login e-mail address
- Receive a one-time code via SMS or voice call
- Enter the code, set a new password — done
The feature can be activated in the account settings under Security. Every successful delivery is transparently logged and visible in the backoffice. Costs are charged monthly via the standard Bookacamp invoice.
To prevent abuse, a built-in rate limit applies: an amount of requests per time period. Every reset attempt is also recorded as a note on the relevant customer or teamer profile, creating a complete audit trail.
Mandatory MFA: no access without a second factor
Voluntary MFA for backoffice users has been available in Bookacamp since 2023. Many accounts use it — but not all. Until now, there was no technical way to ensure that every backoffice login is protected by a second factor.
That changes now: in the account settings under Security → MFA Enforcement, you can enable mandatory MFA for all backoffice users. Once the setting is active:
- Users who have not set up MFA are redirected to a setup page immediately after login
- This page cannot be bypassed — no other area of the backoffice is accessible until MFA is configured
- Once MFA is successfully activated, the user is admitted to their normal workspace
Additionally, settings for future mandatory MFA in the customer and teamer portals can already be configured today. These prepare the system for portal MFA, which will be rolled out in an upcoming release.
Why this matters
Youth travel and leisure operators process some of the most sensitive data there is: health information, family structures, bank details, and the whereabouts of minors. A compromised backoffice account is not a theoretical risk — it has already caused significant harm at other companies.
MFA dramatically reduces this risk: even if an attacker obtains a username and password, they cannot proceed without the time-limited second factor. Mandatory MFA ensures that this layer of protection is not left to the discretion of individual staff members but applies to everyone.
Author: Mathias Methner