Authentication
How to set authentication settings
To access authentication settings, navigate to Administration » Settings » Authentication.
Here you can set up the following options:
- Authentication required – When not requiring authentication, public projects and their contents are openly available on the network. You can edit the applicable permissions for anonymous users in Administration » Roles and permissions.
- Autologin – How many days is a user logged in using the autologin feature.
- Self-registration – Here you can set if a user can perform self-registration and how to do so.
- account activation by email - An activation link will be sent to the registered e-mail.
- manual account activation - The administrator must activate the user. Registered users can be filtered in the user list by status "registered".
- automatic account activation - The user is activated on the first login.
- Self-registered users are automatically added to group – You can add a self-registered user to an existing group automatically.
- Minimum password length – Enter the requested number of characters.
- To protect your sensitive business data, we strongly advise users not to store their login credentials (login name and password) in their web browsers. If the web browser asks if you want to save the password, don't let it. Otherwise, you expose your user account and all the information accessible from it to a high risk of misuse.
- Unfortunately, there is no application way to prevent saving passwords to the browser. The browsers use all their strength to avoid mechanisms of applications to disallow saving passwords and they do so regardless of the security risk involved.
- Required character classes for passwords – Select uppercase letters, lowercase letters, digits, or special characters. If an entered password does not meet any of these criteria, an error message appears.
- Unique password counter – After how many password changes can a user set up the last password again.
- Required password after – After how many days will a user be asked by the system to change his password. However, the notifications about password expiration can be turned off on the user profile.
- Allow password reset via email – Check to allow sending the password reset link via e-mail.
- Two-factor authentication – Setting "Disabled" will deactivate and unpair two-factor authentication devices for all users. Setting "Required" will require all users to set up two-factor authentication at their next login. Setting "Required for administrators" will require all administrators to set up two-factor authentication at their next login. Setting "Optional" will let all users enable/disable two-factor authentication on their user profile based on their own decision.
- Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the users provide two authentication factors to verify they are who they say they are. 2FA can be contrasted with single-factor authentication (SFA), a security process in which the user provides only one factor – typically a password.
- If 2FA authentication is globally active, the user can find the enable/disable option in his user profile so that each user can customize the authentication process at his convenience. No user has the right to activate 2FA authentication for another user. Only the administrator has the right to deactivate it for other users, but he cannot activate it.
- To enable 2FA, you will be asked to scan the displayed QR code or enter the plain text into an authenticator app (e.g. Google Authenticator, Authy, Duo Mobile...). The app is supposed to generate a verification key that you enter back into the respective form in the next step and 2FA is thereby verified and activated.
- Remember devices for X days – Don't ask for a twofa validation code within the specified number of days if the user's device is already known.
- Validate remembered devices – Check to warn if a user is being logged from an unknown location.
- Session maximum lifetime – How long can someone be logged in before the system automatically logs the user out.
- Session inactivity timeout – How long can someone be inactive before the system automatically logs the user out.
- Display social service icons on the log-in page – Check to display the icons.
- Unsuccessful login attempts: Enable function – A security feature that automatically blocks the user after submitting an incorrect password multiple times.
- Block user after X attempts – Blocks a user after the specified number of incorrect password submissions.
- When blocked, the user will find the configured notice on the login page. We recommend showing the contact information of the administrator or office who can unblock the user so that they immediately know where to turn to.
- We also recommend enabling the notification for administrators in charge of user management so they can proactively contact the user to find out what happened.
- Manual unblocking – Administrators can easily unblock the user by going to their user profile (do not confuse with user edit form) and clicking "Unblock".
- Block vs lock – This feature is not in any way related to the Lock user functionality, which is used when you want to completely hide the user from the application, for example, if they left the organization. Blocked users are still active, they just can't log in to the application until they are unblocked.
Require two factor authentication for user groups
It is possible to force two factor authentication for user groups. If a user is a member of such group (or added into such group), two factor authentication will be required on his next login. To activate this feature, navigate to Administration » Groups » select a group » check "Require two factor authentication" and save.
Corner situations
- Q: I've configured two-factor authentication in settings. I enabled this scheme. In my account, I tried to enable 2FA and tried using the Google Authenticator app. I couldn't verify with the code generated by the authenticator app. I also tried the Microsoft Authenticator app. Same problem.
A: The problem was that our server didn’t synchronize its clock with NTP. So the time on the server was different than the time on my phone.