Set Up Login Security

The login security settings allow you to add additional security measures around user logins.

About this task

Login Security Settings

To set and/or change the login security settings:

Procedure

  1. Go to Settings > Platform Settings > Security Settings.
  2. Go to the Login Security section. From here, you can adjust the login security settings. Each setting is described below:
    • Allow user logins from unknown IPs not defined in Network Access: By going to Settings > Platform Settings > Network, you can define a set of network IP addresses or IP address ranges from which your users can login to the application. If these range(s) are defined, and if a user visits from an IP that isn't contained in those ranges, you can check the Allow user logins from unknown IPs not defined in Network Access box. Checking this box allows the user to enter the application, after logging in with their password and answering their security question. This makes it possible for users on the road (in a hotel, at a trade show, etc.) to still login even though their IP address isn't on the trusted list.
      Note: If this box is cleared, then users attempting to access your account from an unauthorized IP will be rejected and will be unable to access the account.
      Tip: For more information on setting up trusted IP address ranges, see Configure Network Access.
    • Allow API access from unknown IPs not defined in Network Access: By going to Settings > Platform Settings > Network, you can define a set of network IP addresses or IP address ranges from which your users can login to the application. If this box is cleared, API access can come from any IP. If unchecked, API access to the account from an unauthorized IP will be rejected.
    • Inactive Users Are Locked After: Having people not log into the application for a long time can be a security risk. The Inactive Users Are Locked After pull-down menu automatically forces users to reset their password if they haven't logged in (have been inactive) for a given period of time. You can choose:
      • Never (default)
      • 1 month
      • 3 months
      • 6 months
      • 1 year
    • Maximum Number of Invalid Login Attempts: The Maximum Number of Invalid Login Attempts setting allows you to set the limit for failed login attempts. You can choose:
      • 3 attempts
      • 5 attempts
      • 10 attempts (Default)
    • Lockout Effective Period: When a user reaches the maximum number of invalid login attempts specified above, they will be locked out of their account. You can set the duration of the lockout using this pull-down menu. The options are:
      • Lock account for 5 minutes: The user will not be able to attempt another login until 5 minutes has passed. This further mitigates the possibility of a brute-force attack.
      • Lock account for 15 minutes.
      • Lock account for 30 minutes.
      • Lock account for 1 hour.
      • Permanently lock the account. Unlocking the account will require a Site Administrator to manually edit the user's record and unlock it. Additionally, the emergency contact email address for the site will receive a notice that the account has been locked.
  3. Click Save.