- 20 Nov 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Managing Authentication Settings
- Updated on 20 Nov 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Use Password settings to manage password settings.
To open Authentication settings:
- From the top right corner of any page, click . The System Settings page opens.
- In the Categories/Subcategories pane of the System Settings page, expand Privacy and Security, and select Authentication.
Password Policy Settings
Password Policy Settings are configured by default for Axonius-hosted (SaaS) customers and cannot be changed.
Enforce password complexity - Toggle on to configure and enforce password complexity for new/changed Axonius user accounts' defined passwords.
If switched on, specify the following parameters:
- Minimum password length (default: 10) - Specify the minimum length for a defined password. The specified value must be equal to or greater than the sum of the remaining fields.
- Minimum lowercase letters required (default: 1) - Specify the minimum lowercase letters required for an Axonius user account's (new/changed) defined password.
- Minimum uppercase letters required (default: 1) - Specify the minimum uppercase letters required for an Axonius user account's (new/changed) defined password.
- Minimum numbers required (default: 1) - Specify the minimum numbers required for an Axonius user account's (new/changed) defined password.
- Minimum special characters required (default: 0) - Specify the minimum special characters required for an Axonius user account's (new/changed) defined password.
- Special characters refer to the following list: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
If switched on, when a user wants or needs to change their password, the password complexity requirements are displayed. For example, changing user password from the Manage Users page.
Password Reset Settings
- Reset password link expiration (hours) (default: 48) - The number of hours that the reset password link remains valid.
Password Brute Force Settings
Password Brute Force Settings are configured by default for Axonius-hosted (SaaS) customers and cannot be changed.
Enable Brute force protection - Toggle on to enforce a rate limit on user login and on Changing user account password.
Axonius uses a fixed window with an elastic expiry strategy for rate limiting. This strategy helps circumvent bursts.
Example - 10/minute rate limit is configured:- If the user login is attacked at the rate of 10 hits per minute, the attacker is locked out of the resource for 1 minute after the last hit.
- If the user login is attacked at the rate of 1 hit per second for 1 minute (total of 60 hits) - after passing the first 10 hits (after 10 seconds), the attacker is locked out of the resource for 1 minute. As the attacker continues with additional attempts, each attempt after the rate limit is exceeded, increases the lockout by the relative impact of a single hit on the defined window size. In the example, each hit increases the lockout by an additional 6 seconds (60 seconds / 10 hits = 6 seconds per hit).
If switched on, specify the following parameters:
- Maximum attempts (default: 20) - Specify the maximum number of attempts allowed.Note:
Both GET and POST requests are considered attempts.
- Window size in minutes (default: 5) - Specify the number of minutes to define a window size for the attempts allowed.
- Lock Type (default: IP address) - Select IP address or User name.
- User login rate limit is always per IP address.
- Changing user account password rate limiting can be done by either IP address or user name.
Note:When a specific user name is locked, Axonius also locks the IP address associated with the session of that user name.
Password Expiration Settings
- Enable password expiration (default: switched off) - Toggle on to enforce password expiration for all users in the system.
- Password expiration (days) (default: 90) - The number of days that a password is valid. Users with expired passwords are required to change their password when logging in.
Two-Factor Authentication Settings
Use two-factor authentication to add a second layer of protection in addition to the standard user password. Users will be send a verification code to the email address associated with their account. The code is valid for 10 minutes.
- After 3 failed attempts, the user will be locked out for 10 minutes.
- Users must register their email to login with two-factor authentication.
To enable two-factor authentication:
- Under Two-Factor Authentication, toggle on Require use of email verification code.
When enabled, the user will receive an email at their registered email address with an authentication code to be entered into the Axonius login page. The code is valid for 10 minutes.