Login Security Features

The system provides several features related to authentication for both Employees and Customers. The goal of these features is to make it as hard as possible for hackers to break into the system but as easy as possible for legitimate users to log in.

Here is a summary of the features described below:

Overview of Login Forms"Remember Me On This Device"reCAPTCHA / "I'm Not a Robot""Forgot Your Password?" ProcessPassword RulesLockouts After Repeated Failed LoginsUnlocking a User Who Was Locked OutPassword ExpirationsReusing Previous PasswordsRestricting Logins for Specific Users to Specific IP AddressesGoogle Sign-In

Overview of Login Forms

The standard login form for Employees looks like this.

image-20221105102653727

The default login form for Customers looks very similar.

image-20221105102736684

"Remember Me On This Device"

As a convenience for all users when logging in, there's an option to check the box to "Remember Me On This Device." When that is clicked, after a successful login, the user will not have to log in again for one week. Without checking this option, users are automatically logged out after 20 minutes of inactivity.

Note: The option says "on this device" to remind users that anyone with access to the device may be able to use their account without logging in. The option should NOT be used on computers that are publicly accessible, such as at a library.

Note: When the user changes their password, it will expire the "Remember Me" logins on each of their devices, and they will have to log in again.

reCAPTCHA / "I'm Not a Robot"

By default, both Customers and Employees are required to pass the Google reCAPTCHA test to demonstrate they are not robots programmed by a hacker. This is by far the most effective tool to prevent a hacker from logging in via brute force, where they write a script to repeatedly test username/password combinations. This option may be turned off for Customers from the Login Security settings screen (see below).

Normally, clicking the "I'm not a robot" checkbox is all a user has to do to pass the test. Occasionally, a user may be required to perform an additional test, such as selecting images that contain certain objects. The goal is to make it easy on humans but hard on automated scripts designed by hackers.

This requirement is always enabled for Employees. Since the Cloud Edition runs as a service on the internet, it is important to have a CAPTCHA on these login forms. If you have a valid reason why this rule should be relaxed for Employees, contact SoftSlate support.

"Forgot Your Password?" Process

All users have the ability to reset a forgotten password via the "Forget your password?" link.

Submitting their email address will trigger the system to send them a special link with an embedded token that allows them to reset their password.

image-20221106080738724

For security, the link is only valid for a set period of time. If the time period expires, all they have to do is request a new link.

Password Rules

By default, the only requirement for Customer passwords is that they be at least eight characters long, but in the Administrator interface, additional requirements can be added to enhance security (i.e., make it harder for hackers to guess a password).

The Login Security Settings screen in the administrator allows admins to adjust the password rules for Customers.

image-20221105105828716

Among the rules that may be defined are:

  • Minimum password length (eight by default for Customers)

  • Whether the password must contain at least one letter and one number (default false for Customers)

  • Whether the password must contain at least one uppercase letter and one lowercase letter (default false for Customers)

  • Whether the password must contain at least one “special” character (default false for Customers)

NOTE: For Employee logins, the minimum password length is also eight, but all of the other above rules are in effect. If you have a valid reason why the rules should be relaxed for Employees, contact SoftSlate support.

Lockouts After Repeated Failed Logins

By default, both Customers and Employees will be locked out of their accounts if they make repeated attempts to login to their account using bad passwords. Again, this is an important security mechanism to prevent hackers from guessing a user's password by repeatedly guessing.

By default, Customers will be locked out for 30 minutes following five failed logins in a row. These parameters can be changed for Customers in the Administrator on the above Login Security Settings screen.

Employees will also be locked out for 30 minutes following five failed logins in a row. If you have a valid reason why this rule should be relaxed for Employees, contact SoftSlate support.

Unlocking a User Who Was Locked Out

If a user is having trouble logging in, an Employee with the appropriate permissions can unlock the user's account so they don't have to wait for the full lockout period to be over.

If a Customer is locked out, find their customer record from the Customers grid (/administrator/Customer). Click into Details and empty out the Locked Out Until field.

image-20221106083701302

Click Save Changes. The Customer should be able to log in now without waiting for the lockout period to end.

For Employees who are locked out, the process is very similar. Find the Employee record and empty out their Locked Out Until field. You must have Superuser or Employee Edit permissions to edit Employees.

Password Expirations

The system also supports the notion of expiring passwords, where the user is forced to change their password after a set period of time. This feature is turned off by default for Customers, but it may be enabled on the above Login Security Settings screen. To enable it, adjust the "Password Expiration Duration In Days" setting to something larger than 0. For example, setting the value to 365 will require Customers to change their password every year.

This feature is turned on for Employees, and the duration for passwords is set to 180 days. After 180 days, the next time the Employee logs in, they will be prompted to change their password. If you have a valid reason why this rule should be relaxed for Employees, contact SoftSlate support.

Reusing Previous Passwords

Customers may also be prevented from reusing a previous password when they change their password. This feature is disabled by default for Customers, but it may be enabled on the Login Security Setting screen. Simply adjust the "Number of Previous Passwords To Check" to something greater than 0. When it is enabled, each time a Customer changes their password the system will first check to make sure it is not the same as one of the previous x passwords, where x is the value of that setting.

By default, this feature is in effect for Employees, and set to five previous passwords that will be checked. If you have a valid reason why this rule should be relaxed for Employees, contact SoftSlate support.

Restricting Logins for Specific Users to Specific IP Addresses

In many cases, the location of the users accessing the system is known ahead of time. It may be that an Employee always logs in either from home or from an office location. To really restrict access, it is possible to define the list of legitimate IP addresses each user is allowed to log in from. This can be done for both Customers and Employees in the Administrator application.

To restrict a specific user to specific IP address, simply find their record in the Administrator (under Customers or Employees) and add the list of legitimate IP addresses to the "Allowed Ip Addresses" field.

image-20221105114507768

The field accepts a comma-separated list of IP addresses. The next time the user logs in, the system will check the IP address they are logging in from against the list. If it is not contained in the list, the login will be refused.

To disable this feature, simply empty out the "Allow Ip Addresses" field. An empty field tells the system to allow logins from any IP address.

Google Sign-In

The platform supports customer logins and registrations using Google Sign-In. This can be much more convenient for customers since they don't have to create a new password. This feature is turned off by default. For more information, visit this section of the Customer Account Features page: https://cloud.softslate.com/content/Customer_Account_Features#registration-and-login-with-google-sign-in.

It's important to note that when a customer signs in via Google, none of the above security features take effect for their account. Lock-outs, password expirations, password rules, etc. - these are all managed by Google. If you wish to leverage the above features for customers, you should keep Google Sign-In turned off.