Authentication & Security

Authentication & Security

The Authentication & Security panel is available via Security Settings. There are three tabs: MFA, Password, and Timeout Settings.

Multifactor Authentication (MFA)

Upon your initial sign in to an account using a new device or application, the MFA process requires more than just your standard sign in credentials. The typical routine involves entering your username and password, followed by the introduction of a second authentication element, called the "second factor."

How does multifactor authentication work? 

The first time you sign in on a device or app, you enter your username and password as usual, then you get prompted to enter your second factor to verify your identity. For instance, alongside your password, users may be prompted to input a unique code delivered through their Authenticator App or via Text Message (SMS). 

Incorporating MFA into your security practices, you add an extra layer of protection, making it more challenging for unauthorized entities to breach your accounts.

Customize multifactor authentication 

With the security features offered by KODE Labs, you have the power to customize the multifactor authentication (MFA) process to align seamlessly with your organization's unique needs. Safeguarding logins has never been more customizable or user-friendly.

Enabling and customizing MFA adds an extra layer of security by requiring users to provide a second form of identification. To view the MFA settings, select Security Settings > Authentication & Security.

You can choose whether to enforce MFA for all users or grant them the flexibility to decide for themselves. (This excludes users that use SSO for authentication.)

You can also choose how often users are prompted for MFA during sign in.

Password 

Customizable password settings contribute to system security. Enforcing strong password policies (such as length requirements, character diversity, and regular password changes) reduces the possibility of unauthorized access.

Within this section, you have the flexibility to specify the rules that should be followed for password generation, whether it's for user account creation or password reset.

The Password tab enables you to secure your environment by giving you control over password details such as lifetime of password, the frequency of changing the password, and what a password contains.

  • Password Complexity: Measure of how difficult a password is to guess.

    • There are two predefined password complexity settings: Medium and High.

    1. You can customize your password complexity as well, by defining whether the password should include a combination of the following.

      • Uppercase letters (A through Z).

      • Base 10 digits (0 through 9).

      • Non-alphanumeric characters (special characters).

      • Non consecutive characters

    1. Lockout Settings: Designed to temporarily restrict access to a user account after a specified number of unsuccessful sign in attempts.
    2. Retries before lockout: Maximum number of unsuccessful sign in attempts allowed before an account is locked out. For example, you can customize this setting to allow five unsuccessful sign in attempts before the account enters a locked state
    3. Lockout Time and Unit: Once the specified threshold is reached, you can define a time period during which the account remains inaccessible. For example, you can configure the lockout time to be one hour, during which the account remains locked, while still allowing legitimate users to regain access promptly after the specified duration.
    4. Password configs:
  1. Password history: Practice of keeping a record of previously used passwords for user accounts. The purpose of keeping password history is to prevent users from reusing the same passwords, which can increase security by minimizing the risk of compromised accounts.
  2. Password Expiry Time: Password expiry time is the duration after which a user is required to change their password.

Timeout Settings  

In the Timeout Settings tab you can set session and idle timeout values based on the specific needs for your application.

Session Timeout: Duration a user's session remains active after they sign in. When this predefined period goes past without any user activity, the system automatically signs the user out to increase security and protect sensitive information.

Idle timeout: Period of user inactivity within an active session. If no user activity occurs during this designated timeframe, the system initiates the sign out process.

FAQs 

Session Timeout Settings

How is session timeout configured in days?

Session timeout can be configured in days, with user sessions automatically logging out after the specified number of days of inactivity.

How is session timeout configured in hours?

Session timeout can also be set in hours, with user sessions automatically logging out after the specified number of hours of inactivity.

Can negative values be set for session timeout?

No, the system prevents setting negative values for session timeout and displays an error message for invalid values.

How does the system handle idle timeout in days?

Idle timeout can be configured in days, terminating user sessions automatically after the specified number of days of inactivity.

How is idle timeout set in hours?

Similar to day configuration, idle timeout can be set in hours, with sessions ending after the specified number of hours of inactivity.

Can non-integer values be used for idle timeout configuration?

No, the system requires integer values for idle timeout configuration and displays an error message for non-integer values.


Password Policy

What are the requirements for medium security level passwords?

Medium security level requires passwords to have a minimum of 8 characters, including at least one digit, one uppercase letter, and one special character.

What constitutes a high security level password?

High security level passwords must have at least 12 characters and include at least one digit, one uppercase letter, one special character, and no consecutive characters (uppercase, special characters, digits).

Can administrators create custom password policies?

Yes, administrators can create custom password policies enforcing specific requirements like minimum length, and the inclusion of uppercase, lowercase, special characters, digits, and non-consecutive characters.

How does the system handle lockout time configuration?

Lockout time can be configured, and after the specified time, users are allowed to retry password entry.

What is the configuration for retries before lockout?

The system allows configuration of the number of retries before lockout. Users are locked out after exceeding the configured number of retries.

How does password expiry time configuration work?

Administrators can configure the password expiration time. Users are prompted to change their password if it exceeds the configured expiration time.

Does the system check for leaked passwords?

Yes, the system checks passwords against breached or leaked databases and prevents users from using compromised passwords.

What happens when a password exceeds its expiration time?

Users whose passwords exceed the configured expiration time are prompted to change their password upon login.

What is the minimum password length allowed?

The system enforces a minimum password length, typically not allowing configurations less than 8 characters.

How does the system handle maximum password length?

The system can handle and accept passwords with the maximum allowed length, typically up to 64 characters.

Multifactor Authentication (MFA) 

Is MFA enforced by default for all users?

No, by default, MFA is not enforced for users, and they are not prompted to set up MFA during login.

Is MFA required for users logging in with email & password?

When specifically configured, only users logging in with Email & Password are prompted to set up and complete MFA.

Can admins configure different MFA options?

Yes, admins can configure various MFA options, such as requiring MFA every login, remembering for 7 or 30 days on known devices. Users see these options during setup.

Does the system use device fingerprinting for MFA validation?

Yes, device fingerprints are generated on the first login, saved, and associated with user accounts for MFA validation.

Does changing browsers trigger MFA?

Yes, changing the browser prompts Multifactor Authentication, regardless of the selected 7-day or 30-day frequency.

Does removing cookies trigger MFA?

Removing cookies triggers MFA, independent of the chosen frequency setting.

Are users prompted for MFA setup on the next login after MFA requirements are added?

Yes, existing users are prompted to set up MFA on their next login if MFA requirements are added.

How does MFA Work for multiple users in one browser?

When multiple users log in from one browser, each user maintains their own MFA validation settings, unaffected by other users’ settings, even in mixed modes of browsing.

Can users configure MFA for their accounts?

Yes, users can configure MFA settings for their accounts, which are validated during login.

What happens when an admin configures MFA for an organization?

Users' MFA configurations are updated according to the organization settings. Users default to the minimum available option if a previously selected option is removed.

What happens if MFA valid remember time is greater than session timeout?

Users are prompted for MFA verification after the session timeout, even if they have a valid MFA memory time.

What happens if MFA valid remember time is less than session timeout?

Users are prompted for MFA verification before the session timeout occurs.

What if MFA valid remember time is equal to session timeout?

Users are prompted for MFA verification exactly at the session timeout.

What happens if MFA valid remember time is set to 0?

Users are prompted for MFA verification every time they log in.

Can admins reset MFA for a user?

Yes, an admin can reset MFA for a user, requiring them to set up MFA again on the next login.

Is it possible to disable MFA for a user?

Yes, an admin can disable MFA for a user, allowing new users to log in without MFA. Existing users are still prompted for 2FA.

Does MFA work on various mobile devices and browsers?

MFA should work seamlessly across different mobile devices and browsers.



    • Related Articles

    • Activate your account

      In order to begin using KODE OS you need to set up and activate your account. To activate your account, Once your account is created you will receive an email with instructions to set up your account. You will need to set up your password in order to ...

    • Navigate Launchpad as a User

      Launchpad is an integral component of KODE OS. Any instance or user can be added, changed, or deactivated in a matter of seconds. Sign in and Authentication In order to sign in to your instance of Launchpad, you need to access a link that is provided ...

    • Tutorial: Get started: Activate your KODE OS account and explore Launchpad

      Welcome to KODE OS! This tutorial helps new users activate their accounts, set up their passwords, and sign in to Launchpad for the first time. Launchpad serves as the central hub for KODE OS, providing access to all features and management tools. ...

    • Navigate Launchpad as a Channel Partner

      Navigate Launchpad as a Channel Partner Welcome to the KODE OS Launchpad! Launchpad is an integral component of KODE OS. Any instance or user can be added, changed, or deactivated in a matter of seconds. Sign in and authentication In order to sign in ...

    • Trusted Organizations

      Trusted Organizations are instances with which your organization has established trusted settings. This page is available via Security Settings. There are two tabs. Outbound: List of organizations that can invite your users as a channel. Includes the ...