This document provides information about the Authentication security form screen, which displays information about Segura® Platform settings and allows you to manage them.
Path to access
- On Segura® Platform, in the navigation bar, hover over the Products menu and select Settings.
- In the side menu, select Security policies and network > Authentication security.
User accounts maintenance
| Item |
Type |
Description |
| X minutes to expire session |
Quantity input |
Defines the duration, in minutes, for the login session to time out. The maximum allowed idle period is 120 minutes. |
| Lock account after login errors after X attempts until locking |
Quantity input |
Number of failed login attempts, in a single login session, until the account is blocked. |
| Lock disabled account |
Checkbox |
Selects if an inactive account will be blocked. |
| X days until lock |
Quantity input |
If the Lock disabled account option is enabled, you must indicate the number of days without access until this account is blocked. |
| Force password change on first access |
Checkbox |
Selects if the user must change the password on first access. |
| Expire password |
Checkbox |
Selects if the password will expire automatically. |
| X days until password expires |
Quantity input |
If the Expire password option is enabled, you must indicate the number of days until the password expires. |
| Time between CSRF token (minutes) * |
Quantity input |
Select the maximum amount of time for the user to login before the CSRF token expires. |
Info
CSRF (Cross-Site Request Forgery) is an attack where a malicious website induces an authenticated user on another site, such as a bank, to perform an unwanted action, like a financial transfer. Without CSRF protection, a malicious link can perform this action as if it were the user themselves, using valid session cookies. To prevent this, CSRF tokens are used.
Multi-factor authentication
| Item |
Type |
Description |
| Force multi-factor authentication to all users |
Toggle button |
Enables or disables forced MFA authentication for all users. |
| Force digital certificate authentication to all users |
Toggle button |
Enables or disables forced digital certificate usage for all users. |
| Enable external Multi-Factor Authentication application |
Toggle button |
Enables or disables the permission to use an external solution for MFA authentication. |
| Allow “Trust this computer” up to a maximum X hours |
Toggle button and Text field |
Enables or disables the Trust this computer option for a specific amount of hours. With this configuration enabled, token usage won't be necessary for the defined time period. |
| Accept with tokens generated until X seconds change |
Toggle button and Quantity input |
Enables or disables acceptance of authentication tokens generated with a defined number of seconds of variation. The seconds of variation are the seconds during which an expired token will be considered valid. |
Password security level
| Item |
Type |
Description |
| Minimum characters for password |
Text field |
Minimum number of characters required for the password. |
| Minimum numbers for password |
Text field |
Minimum quantity of numbers required for the password. |
| Require symbols in the password |
Toggle button |
Enables or disables the requirement for symbols in the password. |
| Restrict password reuse |
Toggle button |
Enables or disables permission for password reuse. |
| Last passwords that cannot be used |
Text field |
If the Restrict password reuse option is enabled, you must indicate how many previous passwords cannot be reused. |
Continuous identification
| Item |
Type |
Description |
| Rating drop |
Quantity input |
Loss points to trigger reauthentication. |
| High risk sessions |
Quantity input |
Number of critical sessions to trigger reauthentication. |
| Blocked commands |
Quantity input |
Limit of audited commands per session to trigger reauthentication. |
| Session attempts at prohibited times |
Quantity input |
Number of allowed attempts outside access hours to trigger reauthentication. |
| Viewing attempts at prohibited times |
Quantity input |
Number of password viewing attempts outside permitted hours to trigger reauthentication. |
Info
To disable a trigger, set its value to zero.
Access control by IP
Attention
Note that when selecting the Deny all option, you will need to include the address 127.0.0.1 (localhost) in the allowed IP list. This configuration is essential because the Segura® Platform proxy performs access attempts internally and operates on localhost.
| Item |
Type |
Description |
| Allow all/Deny all |
Radio button |
Defines if all IP addresses will be denied or allowed. |
| + Add |
Button |
Adds an entry at the end of the IP address listing. |
| IP Range |
Table |
Data for each IP access control member containing the fields Start, End, and Action. |
Adaptive MFA by location
| Item |
Type |
Description |
| + Add |
Button |
Adds an entry at the end of the IP address listing. |
| IP Range |
Table |
Data for each member of the location-based adaptive MFA table containing the fields Start, End, and Action. |