A secure connection is an encrypted exchange of information between the system and your Employees using a SSL connection. Encryption is provided through a document the system provides called a certificate. When your employees send information to the system, it is encrypted at their computer and decrypted when it is received at the system, keeping your employees data submissions safe during transfer. Encryped connections prevent man in the middle attacks in-between your Employees and the system.
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s device or vireo account, because simply knowing the victim’s password alone is not enough to get past the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data.
Our system allows you to use the following Two Factor authentication methods: Google Authenticator, SMS, Email, U2F Key
If left unattended, after 12 minutes, the system will alert the user that the ‘Session is about to Expire’ and ask them if they wish to ‘Stay Connected’ or ‘Logout’. If they do not provide input or respond within 5 minutes, the system then automatically logs the user out.
This prevents unattended devices from causing a data breach.
You can set and force the strength of password you require for your Administrators, Employees and Clients. For example if you choose to force a strong password and the user types in a weak password, the system will alert the user and gives them a visual representation of the password strength as they type. The password strength algorithm takes into account common password errors such as number sequences and easy to guess words to create the score. This allows you to ensure your data is protected to the level that you choose.
If you are dealing with High Profile clients, you may want to have ‘Very Strong’ passwords, if you are not dealing in High Profile information, you may reduce the password strength a little for usability. You will want to strike a balance between data protection and ease of use for your users, but the choice is yours.
When a user attempts to login and is unsuccessful ten times in a row, their IP address is automatically banned. This is to prevent brute force password attacks. This slows down and can completely stop attackers. The recommended lockout threshold, number of times a legitimate person would forget their password, is ten attempts. If they are a legitimate user and become banned, they can easily contact the management or administrator for their IP address to be removed from the ban list.
The IP address bans are not account specific, meaning that the user doesn’t need to be trying to login to an actual account to be banned. They simply need to type in and submit incorrect information. If the submission is incorrect, it counts as an incorrect login attempt. Each attempt is stored in the system and if they are eventually banned, you can review each credential attempt that the IP address tried. This allows you to determine if the login was a genuine login attempt or a potential attack.
Employees can change their password from within their profile settings on the portal, they are forced to follow password strength that is set by management from the system settings page.
If management have turned the option on from within the management portal, employees have the ability to reset their own password. They will receive a link to either their email or mobile based on the settings. The temporary link allows them to reset their password.
Because allowing user password reset can be a security risk, we recommend to use the feature at your own discretion. It can be a benefit for large companies who have alot of employees and the administration of constantly dealing with password reset requests is too much. If you have a small company, we recommend turning password reset off.
To reduce the some of the security risk from the password reset feature, the link to reset the password only appears if there is a couple of unsuccessfull login attempts and the email address is a valid account.
They must then go through recaptcha robot check and verify their email for the account. If the password reset is SMS the system completes a second robot check and asks them to verify their mobile phone number on their account .
“To verify that this is your phone number, enter the last 4 digits including 00, and then click “Send code” to receive your code.”
If the email address and the mobile number matches the records for the account, plus the user has passed the reCaptcha robot checks a password reset code is sent to their device or email account. They must then enter their new password twice aswell as the two factor code they received to complete a password reset.