Note: Only “Super Admins” have authority to change a company’s password complexity rules. If you are a user that is required to login using multi-factor authentication, please click here to view how to do so.

User login password complexity and multi-factor authentication requirements for ei3 applications can be controlled in two ways. A set of requirements is defined to create a “Password Rule” that applies for company-wide use, and rules can be distinct between the different access levels of users within a Mother Company in the Customer Portal. All rules may only be created and managed by Remote Service super-admin users. Please note that password requirements and multi-factor authentication care configured inside Remote Service and Customer Portal.

A Remote Service super-admin user would first create one default rule for all users for their own company. This default rule will also apply to all the customer Mother Companies in the Customer Portal that were set up by that parent Remote Service company, unless a separate rule set is created for those companies. Such separate rules can also be segregated by user access level (non-admin, location admin, division admin, company admin).

Accordingly, additional, distinct rules may be created for individual customer Mother Companies. Such a rule would apply to the relevant Customer Portal users of that Mother Company.

Creating or Editing Password Rules

Log into Remote Service, go to Admin and then click on the Password Rules menu item. This will take you to the following page:

Graphical user interface, text, application, email

Description automatically generated

To create a new password rule, click on the next to the Action column. The super admin should first create a default password rule for their own company and all its customer companies in the associated Customer Portal. Then if different requirements are desired for a specific mother company, a different rule can be created for just that mother company. A rule for a specific mother company will only apply as the unique default for all users in that company. In addition, password rules can be created for the different user access levels at the customer mother company. In summary, the super admin can create different password rules for different companies or different user access levels.

When creating a new password rule, the rule is defaulted to affect all users at all access levels as shown in the figure below. In this example below, “ei3 Corporation” is the Remote Service OEM company.

Graphical user interface, text, application

Description automatically generated

 

To create a Password Rule for a particular Mother Company, the super-admin can select the Mother Company users option and then select the specific the company from the drop-down list. Then they must select which access level(s) within the Mother Company users to which they would like this rule to apply.

Graphical user interface, text, application

Description automatically generated

 

Password Complexity Composition Limits

The following composition limits apply to all password rules:

Composition Requirements

Number of Characters

Length

Between 8 and 128

Minimum Alphabetical Characters

Between 1 and 10

Minimum Numeric Characters

Between 1 and 10

Minimum Special Characters

Between 1 and 10

Minimum Uppercase Characters

Between 1 and 10

Minimum Lowercase Characters

Between 1 and 10

A number of characters must be defined within the limits for each composition requirement. The super admin can also enable the rejection of commonly used words as passwords and user-derived words as passwords by selecting the relevant boxes to enable those settings.

Graphical user interface

Description automatically generated

The Reject common passwords will not allow a user to use any of the top 1000 most common passwords, while the Reject user derived passwords will not allow the users password to include their username regardless of capitalization.

Password Security Setting Limits

The following security setting limits apply to all password rules:

Security Setting Requirements

Number of days / tries

Maximum Password Life

Between 1 and 3650 days

Password Change Reminder

Between 1 and 365 days

Failed Login Attempts

Between 1 and 10 times

Password History Length

Between 1 and 10 passwords

Lock Inactive Users After

Between 1 and 3650

The Maximum Password Life (days), Password Change Reminder (days) and Password Length History sections also have the info icon to explain what that section means.

Graphical user interface

Description automatically generated

The Maximum Password Life (days) is the maximum number of days since the user last changed their password before the user is forced to change their password.

The Password Change Reminder shows a reminder message to the user of how many days before the password will expire and they will be forced to change their password. In this case, the reminder message will appear every day starting 7 days before the password expires (day 83 of the 90 day maximum password life).

The Password History Length is the number of times a password must be subsequently changed before an old password can be reused. In this case, after changing the password 3 times since a particular password was last used, the user can use that same particular password again.

At the bottom of the Security Settings section there is a checkbox to Force invalid password change. When this is checked, it will force users to change their password if their current password no longer meets the password rules, regardless of whether their password life has expired.

Multi Factor Authentication

In this section, the super admin can choose whether they want to enable two-factor authentication. Clicking the checkbox will require two-factor authentication for all users to which the Password Rule applies. For increased user convenience and slightly less security, the Allow user to remember their device check box can also be checked, which will allow users to skip the two-factor authentication process when logging in from a familiar computer.

Graphical user interface, text, application

Description automatically generated

A timeout is required when enabling the two-factor authentication. Once the email or text with the code is sent to the user, the value of the timeout provides that quantity of minutes within which the user must use that code. In this case, the user has 2 minutes before that code expires and can no longer be used for login.

Selection of the Enable login contact validation checkbox will ensure that users have a valid email address and phone number in their profile. If they do not, they will be redirected to update that information in their profile prior to logging in.

Once all settings of a Password Rule are complete, the Password Rule must be enabled by checking the Enable Password Rule box at the end. The super admin can enable or disable it at any time, and changes will take effect immediately upon saving it.

© 2020 ei3 Corporation. Content of this web page is proprietary to ei3 Corporation.

Print Friendly, PDF & Email