A secure connection is an encrypted exchange of information between the system and your Employees using a SSL connection. Encryption is provided through a document the system provides called a certificate. When your employees send information to the system, it is encrypted at their computer and decrypted when it is received at the system, keeping your employees data submissions safe during transfer. Encryped connections prevent man in the middle attacks in-between your Employees and the system.
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s device or vireo account, because simply knowing the victim’s password alone is not enough to get past the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data.
Our system allows you to use the following Two Factor authentication methods: Google Authenticator, SMS, Email, U2F Key
If left unattended, after 12 minutes, the system will alert the user that the ‘Session is about to Expire’ and ask them if they wish to ‘Stay Connected’ or ‘Logout’. If they do not provide input or respond within 5 minutes, the system then automatically logs the user out.
This prevents unattended devices from causing a data breach.
Client can change their password from within their profile settings on the portal, they are forced to follow password strength rules that are set by management from the system settings page.
You can set and force the strength of password you require for your Administrators, Employees and Clients. For example if you choose to force a strong password and the user types in a weak password, the system will alert the user and gives them a visual representation of the password strength as they type.
The password strength algorithm takes into account common password errors such as number sequences and easy to guess words to create the score. This allows you to ensure your data is protected to the level that you choose.
If you are dealing with High Profile clients, you may want to have ‘Very Strong’ passwords, if you are not dealing in High Profile information, you may reduce the password strength a little for usability. You will want to strike a balance between data protection and ease of use for your users, but the choice is yours.
When a user attempts to login and is unsuccessful ten times in a row, their IP address is automatically banned. This is to prevent brute force password attacks. This slows down and can completely stop attackers. The recommended lockout threshold, number of times a legitimate person would forget their password, is ten attempts. If they are a legitimate user and become banned, they can easily contact the management or administrator for their IP address to be removed from the ban list.
The IP address bans are not account specific, meaning that the user doesn’t need to be trying to login to an actual account to be banned. They simply need to type in and submit incorrect information. If the submission is incorrect, it counts as an incorrect login attempt. Each attempt is stored in the system and if they are eventually banned, you can review each credential attempt that the IP address tried. This allows you to determine if the login was a genuine login attempt or a potential attack.