These settings help maintain account integrity, reduce unauthorized access, and support Multi-Factor Authentication (MFA) compliance.
You can access the Password Policy by going to Maintenance, and click Security Section, then click Password Policy.
⚠️ Important: Administrator permissions are required to configure or modify Password Policy settings.
Configure Password Strength
The Password Strength section defines the minimum complexity required for user passwords.
Go to Maintenance, and click Security Section, then click Password Policy.
Under Password Strength, set the following options:
Setting | Description |
Minimum Password Length | Defines the minimum number of characters required before a password can be saved. |
Numeric Character | Requires at least one numeric digit in the password. This replaces the previous “Force Password Alphanum” option. |
Uppercase Character | Requires at least one uppercase letter in the password. |
Symbol Using !@#$%^&*() | Requires at least one special symbol from the listed characters. |
Configure Password Reset Settings
The Password Reset Settings determine how often users must update their passwords and if reset enforcement applies to specific user types.
Setting | Description |
Days Before Password Expiry | Defines the number of days a password is valid before users must change it at next login. |
Enforce Password Reset | Forces users to change their password upon first login if they have not set one themselves. |
Apply to User Type(s) | Select which user types are affected when Enforce Password Reset is enabled. |
Password Reuse | Specifies how many times a user can reuse a previously used password. For example, if set to 4, the user can reuse a password every fifth change. |
📌 Note: Password Reuse requires Enforce Password Reset to be ticked for the conditions to apply.
Configure Login Settings
The Login Settings section manages login attempt thresholds, CAPTCHA rules, and session timeout behavior.
Setting | Description |
Disable User Name Auto Complete | Disables browser “Remember Me” functionality for login fields. |
No of Login Attempts before CAPTCHA | Defines the number of failed login attempts before a CAPTCHA challenge appears. |
No of Login Attempts before Locking | Sets the number of failed attempts before a user account is locked. Locked accounts must be manually re-enabled. |
Locked Login Message | Custom message displayed to users when their account is locked (e.g., “Account Locked. Please contact your administrator.”). |
Activate Session Timeout | Enables automatic logout after a defined period of inactivity. |
Session Timeout Duration | Sets the idle time (in minutes) before an automatic logout occurs. |
Security Question Required | Forces users to set a Security Question and use it for password recovery verification. |
Override Login for Timesheet Link | Allows direct access to a timesheet via email link, bypassing login if enabled. |
Configure Multi-Factor Authentication (MFA) Global Settings
The MFA Global Settings section defines how MFA is applied, remembered, and enforced across users and roles.
Setting | Description |
Remember Me | Allows MFA validation to be remembered for a specified duration, reducing repeated MFA prompts. |
Don’t Have Device – Security Question Option | Lets users answer a security question instead of MFA when permitted by compliance rules. |
Default Methodology | Sets the default MFA method (TOTP or SMS). SMS requires prior configuration. |
MFA Active Date | Displays when MFA was activated in your environment. |
MFA Mandatory Permission Items | Lists countries and user types where MFA is system-mandated for compliance. These settings cannot be changed. |
MFA Security Roles | Lets you assign MFA enforcement to specific Security Roles or User Types in addition to system compliance requirements. |
Best Practices
Enforce password reset policies regularly to maintain strong account security.
Enable MFA for users with access to sensitive or personal data.
Review password strength requirements annually to comply with security standards.
Use session timeouts for shared or public-access environments.
FAQs
Q1: What happens if a user forgets their password?
Answer: The user can click Forgot Password on the login page and must correctly answer their configured Security Question to receive a reset email.
Q2: How can a locked user be re-enabled?
Answer: An Administrator must navigate to Maintenance > Users, open the user record, and untick the Login Blocked field.
Q3: Can the MFA “Don’t have device” option be disabled?
Answer: Yes. If MFA is mandated by country compliance for a specific user type, this option will automatically be hidden.