Set Up Login Security
The login security settings allow you to add additional security measures around user logins.
About this task
To set and/or change the login security settings:
Procedure
- Go to Settings > Platform Settings > Security Settings.
-
Go to the Login Security section. From here, you can
adjust the login security settings. Each setting is described below:
-
Allow user logins from unknown IPs not defined in Network
Access: By going to Settings > Platform Settings > Network,
you can define a set of network IP addresses or IP address ranges from
which your users can login to the application. If these range(s) are
defined, and if a user visits from an IP that isn't contained in those
ranges, you can check the Allow user logins from unknown IPs
not defined in Network Access box. Checking this box
allows the user to enter the application, after logging in with their
password and answering their security question. This makes it possible
for users on the road (in a hotel, at a trade show, etc.) to still login
even though their IP address isn't on the trusted list. Note: If this box is cleared, then users attempting to access your account from an unauthorized IP will be rejected and will be unable to access the account.Tip: For more information on setting up trusted IP address ranges, see Configure Network Access.
- Allow API access from unknown IPs not defined in Network Access: By going to Settings > Platform Settings > Network, you can define a set of network IP addresses or IP address ranges from which your users can login to the application. If this box is cleared, API access can come from any IP. If unchecked, API access to the account from an unauthorized IP will be rejected.
-
Inactive Users Are Locked After: Having people
not log into the application for a long time can be a security risk. The
Inactive Users Are Locked After pull-down
menu automatically forces users to reset their password if they haven't
logged in (have been inactive) for a given period of time. You can
choose:
- Never (default)
- 1 month
- 3 months
- 6 months
- 1 year
-
Maximum Number of Invalid Login Attempts: The
Maximum Number of Invalid Login Attempts setting allows you to set the
limit for failed login attempts. You can choose:
- 3 attempts
- 5 attempts
- 10 attempts (Default)
-
Lockout Effective Period: When a user reaches
the maximum number of invalid login attempts specified above, they will
be locked out of their account. You can set the duration of the lockout
using this pull-down menu. The options are:
- Lock account for 5 minutes: The user will not be able to attempt another login until 5 minutes has passed. This further mitigates the possibility of a brute-force attack.
- Lock account for 15 minutes.
- Lock account for 30 minutes.
- Lock account for 1 hour.
- Permanently lock the account. Unlocking the account will require a Site Administrator to manually edit the user's record and unlock it. Additionally, the emergency contact email address for the site will receive a notice that the account has been locked.
-
Allow user logins from unknown IPs not defined in Network
Access: By going to Settings > Platform Settings > Network,
you can define a set of network IP addresses or IP address ranges from
which your users can login to the application. If these range(s) are
defined, and if a user visits from an IP that isn't contained in those
ranges, you can check the Allow user logins from unknown IPs
not defined in Network Access box. Checking this box
allows the user to enter the application, after logging in with their
password and answering their security question. This makes it possible
for users on the road (in a hotel, at a trade show, etc.) to still login
even though their IP address isn't on the trusted list.
- Click Save.