pixi introduces two complementary security mechanisms to keep accounts secure while remaining practical for warehouse environments (shared stations, handhelds, no business email, limited personal device access):
Device Authentication (Trusted Devices) for pixi Mobile and pixi Connector
Two-Factor Authentication (2FA) for pixi Web and warehouse stations, based on permissions
Learn more in the sections below.
Device Authentication (pixi Mobile & pixi Connector)
Device authentication secures pixi Mobile and pixi Connector by allowing access only from devices that an administrator has marked as Trusted.
Timeline (Starting 26.02+)
When you update to pixi Release 26.02 or later, a 28-day transition period begins:
During the transition period, pixi collects device data in the background and users can keep working normally. Administrators need to mark the devices as Trusted/Untrusted.
After the transition period ends, only trusted devices can log into pixi Mobile and pixi Connector.
Recommended action: Start reviewing and trusting known devices once you are confident all devices have logged in at least once.
In this graphic, Customer 1 updates to 26.02 in February, Customer 2 updates at a later time, in this case 26.03. In both cases, a 28-day transition period is granted to allow time to mark devices as trusted/untrusted before the policy is enforced for the individual customer.
What Users Need To Do
(This step can be avoided if the admin already marked the device in use as trusted)
If you are a user, follow these steps:
Log in to pixi Mobile or pixi Connector.
The request for the authentication is sent automatically. You will see a notification upon login.
Wait for your admin to mark the device Trusted.
Log in again.
What Admins Need To Do
No matter which user signs in, every device must have a status in User Administration > Devices:
Trusted: Access allowed
Untrusted Access blocked
Pending: You must review and set it to Trusted or Untrusted.
For the detailed admin guide, click here.
Note: Access to pixi Mobile and pixi Connector is determined by the device’s status, regardless of which user (including warehouse workers) is using it.
Two-Factor Authentication (For all Users)
Two-factor authentication (2FA) adds a second verification step to strengthen account security. 2FA is required for users with elevated or admin permissions. Users assigned to the limited-permission “Warehouse worker” role do not require 2FA going forward.
Please note that 2FA will be enabled in all test, sandbox, and pre-production databases as early as March 31, 2026. This is intended to give you sufficient time to prepare for the changeover and to review configurations in advance.
Exemption from Two-Factor-Authentication (Warehouse Station Workers)
This section explains who qualifies as a Warehouse worker and which permissions define the role. Who is a warehouse worker? A user with limited permissions who performs operational warehouse tasks (e.g., scanning pick lists, running basic reports). Their role is defined by having all these permissions (or a subset):
pixi Inventory
Create manual invoice for box in Web
pixi Invoices
pixi Reports
Delete Picklists
pixi Shipping
Goods Receipt
Scan-In of locked orders
All permissions for pixi Mobile
If a user has any additional permissions beyond this set, or has an admin role, then 2FA is mandatory.
Timeline (End of April, 21.04.2026)
The mandatory, global 2FA enforcement is planned independent of the pixi release at the end of April (21.04.2026). You can prepare roles and permissions now to be ready when 2FA is enforced. To use the 2FA-exempt warehouse worker role, update to pixi Release 26.02 (February) or later.
We plan to provide an additional customer webinar invite (walkthrough + Q&A). The date will be communicated on our channels.
In this graphic it shows that mandatory global 2FA enforcement will take place at the end of April, independent of the pixi release version, and that roles and permissions can already be prepared in advance. It also highlights that the 2FA-exempt warehouse worker role is only available from pixi Release 26.02 (February) onward, with an additional customer webinar (walkthrough and Q&A) to be announced soon.
What Admins Need to Do
To prepare for implementing Two-factor authentication, review user roles, device management, and system readiness using the steps below.
Segment users into Warehouse workers vs Supervisors/Admins.
-
Review roles/permissions and assign the limited warehouse worker role where applicable. Warehouse workers will need to have any of these permissions (all or a subset) assigned:
pixi Inventory
Create manual invoice for box in Web
pixi Invoices
pixi Reports
Delete Picklists
pixi Shipping
Goods Receipt
Scan-In of locked orders
All permissions for pixi Mobile
Frequently Asked Questions (FAQ)
Do all users need a smartphone/email?
No. 2FA is required for elevated permissions and not required for limited warehouse worker roles.
What if we are still using an older pixi version (before 26.02)?
You can continue using the existing pixi Mobile app and pixi Connector as before. After April 21, 2026, users who log in to pixi Web or a desktop station will be prompted to set up and use two-factor authentication.
What if a trusted device is lost?
Untrust it immediately (admin action), then trust the replacement device.
Can trusted devices be shared across shifts?
Yes, but treat them like keys: company-managed, protected, controlled handover.
I need to add my mobile device as trusted every day.
On older devices, clearing the app cache may also result in the deletion of app storage data.
When the app storage is deleted, pixi will ask to trust the device again.
In some cases, third-party performance optimization applications installed on devices may automatically delete app data.
Need help? Contact your Descartes pixi Customer Support for rollout planning.