Security Settings
Security Settings
System > Site Design > Learning Portal Website > Security Settings
This area allows admins to account for different scenarios a User might encounter, or force security protocols onto their Users.
Password Expiration
Enabling this setting forces Users to periodically change their password on a regular basis. Requiring users to change passwords older than 90 days is commonly considered to be the best practice
Limit Failed Login Attempts
When enabled, if an active user reaches the failed login attempt limit within the last hour, their user account will automatically be deactivated and a notification email will be sent to the partition email address. Limiting to 3-5 failed login attempts per hour is considered to be the best practice.
Failed Login Responses
By default, when a user/manager fails a login attempt, they will be brought back to their respective login page and a generic login failure message will be displayed. By entering URLs into this section, you can instead redirect them to the specified URL, dependant on the reason their login has failed.
Two-Factor Authentication
If turned on, the system will track how the user is accessing their account by logging their IP Address and Web Browser combination, and prompt them to enter a verification code which is emailed and/or text messaged to them if the IP Address/Web Browser combination is different than usual.
From a security standpoint, turning on Two-Factor Authentication is considered to be the best practice.
Two-Factor Device Limit
If Two-Factor Authentication is turned on, this value determines how many [Web Browser/IP address] combinations can be used by a user before they are prevented from accessing their account (which will require the admin to perform a reset of their devices via the 2-factor authentication reset from their user dashboard).
User Recovery Field
This sets what user field(s) can be used by a user to recover their password. Note that if you set this to 'Username or Email Address', and you have multiple users with the same email address, this can cause confusion and not yield recovery information in all cases; enforced unique emails are required for this option to be effective.
IP Whitelisting
By default, all IP addresses are able to access the Learning Portal website. If you want to limit which IP addresses can access this area, enter each IP address on a separate line. If at least 1 IP address is entered, your current IP address will automatically be added as well.
Page Banner Advanced Settings
In addition to setting up a page banner for the Learning Portal site, you can also set up banners for each usergroup. When you do so, the banner a user will see when they log into their account will be determined by the usergroup they are a member of.
This enables you to create sub-branding (for example, when people log in from company-X, they see the company-X banner, and users from company-Y see the company-Y banner).