How to set authentication settings
You can access it via Administration » Settings » Authentication.
With this option, you can set how long can be someone logged in before the system automatically logs the user out (saved password for access to the system).
Here you can set if a user can perform self-registration and how to do so:
- activation by email - an activation link will be sent to the registered email
- manual account activation - administrator must activate the user. Registered users can be filtered in the user list by status - registered
- automatic activation - user is activated on the first login
You can add a self-registered user to an existing group automatically.
You may also allow Open ID logging and registration.
In More » Administration » Settings » Authentication » Password must include, you can enforce strong passwords to all users by defining criteria a user password has to meet, such as big letter, small letter, number, and special character. The set-up criteria will be enforced automatically since the next time a user changes his password or when creating a new user.
If an entered password does not meet any of these criteria, the following error appears.
Other enhancements for password enforcement can be set up in More » Administration » Settings » Authentication.
Minimum password length - enter the requested number of characters
Unique password counter - after how many password changes can a user set up the last password again
Required password after - after how many days will a user be asked by the system to change his password
The following message appears few days before password expiration if "Required password after" is configured.
However, the notifications about password expiration can be turned off on the user profile.
To protect your sensitive business data, we strongly advise users not to store their login credentials (login name and password) in their web browsers. If the web browser asks if you want to save the password, don't let it. Otherwise, you expose your user account and all the information accessible from it to a high risk of misuse.
Unfortnuately, there is no application way to prevent saving passwords to browser. The browser use all their strenght to avoid mechanisms of applications to disallow saving password and they do so regardless of the security risk involved.
Block user after "x" incorrect password submissions
A security feature that automatically blocks the user after submitting an incorrect password multiple times. The setting is in Administration >> Settings >> Authentication - Unsuccessful login attempts.
How it works
- When blocked, the user will find the configured notice on the login page. We recommend showing contact information of administrator or office who can unblock the user so that they immediately know where to turn to.
- We also recommend enabling the notification for administrators in charge of user management so they can proactively contact the user to find out what happened.
- Manual unblocking - administrator can easily unblock the user by going to their profile (do not confuse with user edit form) and clicking Unblock.
- Block vs lock - this feature is not in any way related to the Lock user functionality, which is used when you want to completely hide the user from the application, for example, if they left the organization. Blocked users are still active, they just can't log in to the application until they are unblocked.
Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the users provide two authentication factors to verify they are who they say they are. 2FA can be contrasted with single-factor authentication (SFA), a security process in which the user provides only one factor - typically a password. To set it up, just go to More » Administration » Settings » Authentication » Two-factor authentication where you can configure the second factor - SMS or time-based one-time password (TOTP). For SMS, you need to set up the Telephone custom-field and select the Provider on the same page.
If TOTP/SMS authentication is globally active, the user can find the enable/disable option in his user profile so that each user can customize the authentication process as per his convenience. No user has the right to activate TOTP/SMS authentication for another user. Only the administrator has the right to deactivate it for other users, but he cannot activate it.
To enable TOTP, you will be asked to scan displayed QR code or enter the plain text into a TOTP app (e.g. Google Authenticator, Authy, Duo Mobile...). The app is supposed to generate verification key that you enter back into the respective form in the next step and TOTP is thereby verified and activated.
- Q: I've configured two factor authentication in settings to use TOTP. I enabled this scheme. In my account I tried to enable TOTP and tried using the Google Authenticator app. I couldn't verify with the code generated by the authenticator app. I also tried the Microsof Authenticator app. Same problem.
A: The problem was that our server didn’t synchronize it’s clock with NTP. So the time on the server was different then the time on my phone.
- If you use two-factor authentication (2FA) by adding SMS scheme as required, you have to be twice as careful the SMS provider is set correctly. In another case, SMS wouldn't be sent and you will not able to log in.