The Security section allows you to control access to your portal and monitor the activity of all users. It includes four subsections: Portal Access, Access Rights, Login History and Audit Trail.
Controlling portal access
The Portal Access subsection of the Security settings allows you to provide users with secure and convenient ways to access the portal.
Password strength settings
This section allows you to determine password complexity (the effectiveness of a password in resisting guessing and brute-force attacks). To do that,
Two-factor authentication
This section allows you to enable two-step verification with SMS or authenticator apps that ensures more secure portal access.
For the
SaaS version, the SMS provider used on your portal is selected depending on the portal region:
smsc is used for CIS,
Clickatell and
Twilio are used for all other regions. You can add available SMS providers in the
Settings -> Integration -> Third-Party Services section.
If you are using the
server version, you first need to connect at least one SMS provider in the
Settings -> Integration -> Third-Party Services section so that you can enable the
Two-factor authentication option.
To enable two-factor authentication with SMS,
- make sure that one of the SMS providers is connected in the Integration section,
- check the By SMS radiobutton under the Two-factor authentication section,
- for specifying detailed settings, you can use advanced settings. Click Show Advanced Settings and set the necessary options:
- in the Mandatory Two-factor authentication section, you can add users or groups for which two-factor verification will be performed even if the user comes from a trusted IP. For other users who are not included into the Trusted Networks list, two-factor verification is performed as usual.
- in the Trusted Networks section, you can add trusted IP addresses for which two-factor verification will not be performed. Specify separate IP addresses in the IPv4 format (#.#.#.#, where # is a numeric value from 0 to 255), or set an IP addresses range by entering the starting and ending IP addresses of the range in the #.#.#.#-#.#.#.# format, or use CIDR masking in the #.#.#.#/# format.
- click the Save button at the bottom of the section to apply the changes you made.
When two-factor authentication with SMS is enabled, a user can access the portal data after entering their regular email and password or signing in via a social media account and typing in a six-digit verification code received via SMS.
The SMS messages are sent to the user primary mobile phone which is specified during the first portal login via two-factor authentication and later can be changed on the user profile page. A verification code can be resent by clicking the Send code again button, but no more often than 5 times per 5 minutes. The sent code is valid for 10 minutes.
SMS messages can be sent if you have a positive balance only. You can always check your current balance in your SMS provider account. Do not forget to replenish your balance in good time.
To enable two-factor authentication with an authenticator app,
- check the By authenticator app radiobutton under the Two-factor authentication section,
- for specifying detailed settings, you can use advanced settings. Click Show Advanced Settings and set the necessary options:
- in the Mandatory Two-factor authentication section, you can add users or groups for which two-factor verification will be performed,
- in the Trusted Networks section, you can add trusted IP addresses for which two-factor verification will not be performed. Specify separate IP addresses in the IPv4 format (#.#.#.#, where # is a numeric value from 0 to 255), or set an IP addresses range by entering the starting and ending IP addresses of the range in the #.#.#.#-#.#.#.# format, or use CIDR masking in the #.#.#.#/# format.
- click the Save button at the bottom of the section to apply the changes you made.
When two-factor authentication with an authenticator app is enabled, a user can access the portal data after entering their regular email and password or signing in via a social media account and typing in a six-digit verification code or a backup code generated by the authenticator app.
To access the portal for the first time after enabling two-factor authentication:
- Enter your regular credentials to access the portal. The QR code and your secret key are displayed on your portal login confirmation page.
- Install an authenticator app on your mobile device. You can use Google Authenticator for Android and iOS or Authenticator for Windows Phone.
- Open the authenticator app on your mobile device and configure it in one of the following ways:
- Scan the QR code displayed in the browser, or
- Manually enter your secret key displayed in the browser,
- On your portal login confirmation page, enter a 6-digit code generated by your application.
- Click the Connect app button.
To learn more on how to use two-factor authentication on your portal, you can read the following article.
Trusted mail domain settings
This section allows you to specify the mail servers used for user self-registration on your portal. By default, this option is disabled. To enable it,
- check the Custom domains radiobutton,
- enter the trusted mail server in the field which appears below,
- check the Add users as guests box if you wish the added users to get the view-only permissions,
- click the Save button at the bottom of the section to apply the changes you made.
To add more mail servers, use the Add trusted domain link. To delete a server added by mistake, click the corresponding icon to the right of the field.
After that, any user who has an account at a specified mail server will be able to register on their own by clicking the Click here to join link on the Sign In page and entering the email address. An invitation email with a link to the portal will be sent to the specified email address. To sign in, the user will need to follow the link provided in the email, enter a password and confirm it.
To disable this option again, just check the Disabled radiobutton.
IP security settings
This section allows you to prevent unwanted visitors from accessing your portal by allowing access to the portal from trusted networks only. If a user attempts to log in to your portal from any IP address except those you specify, this login attempt will be blocked. To restrict access to your portal based on the IP addresses,
- check the Enable radio button;
- click the Add allowed IP address link in the necessary section:
- For all users - this section allows you to set rules which are applied to all users including full access administrators.
- For full access administrators - this section allows you to set additional rules which are applied to full access administrators only.
- in the entry field that appears, specify a single IP address in the IPv4 format (#.#.#.#, where # is a numeric value from 0 to 255), or set an IP addresses range by entering the starting and ending IP addresses of the range in the #.#.#.#-#.#.#.# format, or use CIDR masking in the #.#.#.#/# format;
You can find the information on your portal visitors IP addresses in the Login History subsection of the Security settings by clicking the Download and open report button.
- in the same way, add as many trusted IP addresses as you need;
- click the Save button at the bottom of the section.
If necessary, you can delete the added IP addresses by clicking the corresponding icon to the right of the IP address. To disable this option again, just check the Disable radio button and click the Save button.
Login Settings
This section allows you to protect the portal against brute-force attacks.
- in the Number of attempts field, set up the limit of unsuccessful login attempts by the user;
- in the Blocking time (sec) field, set up the time interval for blocking new login attempts;
- in the Check period (sec) field, set up the time interval for counting unsuccessful login attempts.
When the specified limit of unsuccessful login attempts is reached, attempts coming from the associated IP address will be banned (or, in the SaaS version, captcha will be requested) for the chosen period of time.
By default, this feature is disabled in the server version. If you want to use it, it's necessary to enable the feature in the configuration file. To learn more, read the following article.
Administrator message settings
This section allows you to display the contact form on the Sign In page so that people can send a message to the portal administrator in case they have troubles while accessing the portal.
To enable it, just check the corresponding radiobutton and click the Save button at the bottom of the section to apply the changes you made.
Session Lifetime
This section allows you to set a time limit (in munutes) during which the portal users will need to enter their portal credentials again in order to access the portal.
To set a session lifetime, check the Enable radiobutton, enter the necessary time value measured in minutes in the Lifetime field that appears and click the Save button at the bottom of the section to apply the changes you made. After that, all the users will be logged out from the portal.