Site Settings: Account Settings
This article will cover:
- Account Fields
- Password Authentication
- Password Rules
- Two-Factor Authentication
- Session Duration
- Account Security
- Social Site Integration
In the Site Administration area, under Settings, you will find an Account Settings sub-section. It will allow you to configure important defaults for all accounts and essential security settings.
Account Fields
Each Panelist can edit their profile via their personal Account Settings page. This section allows you to remove the editing rights of Panelists on some of their basic profile fields:
- First name
- Last name
- Email address
- Profile photo
- Username
Checking off the Customize fields available during account registration box will present a second column of options, allowing you to customize which fields panelists can edit during Account Registration (i.e. initial login) vs. Account Updates (future visits to the site).
Password Authentication
By default, users can login with their username or email and a password. If you are using an identity provider, this login option can be disabled for select user roles.
Password Rules
The rules that define an acceptable password can be customized. The following options are available:
- Require a minimum length of password (e.g. 6 characters)
- Require at least one uppercase (A-Z) and one lowercase letter (a-z)
- Require at least one digit (0-9)
- Require at least one symbol (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
- Force passwords to be changed periodically (password expiry)
If periodic password expiry is enabled, various additional options become available:
- Number of days before password expiry to send a warning email that a new password must be soon be selected
- Number of days after password expiry that the current password can be used a final time to enter (the user will be immediately prompted to select a new password)
- Period of time before previous account passwords can be re-used (e.g. 12 months)
Two-Factor Authentication
Learn about Two-Factor Authentication (2FA).
The settings on this page allows enforcement of two-factor authentication for entire user roles (e.g. all Analysts, Moderators, Clients or Participants).
Once a role has been enabled, all users in that role without two-factor authentication enabled will be forced to set it up. The user will not be able to enter the site until their two-factor authentication configuration has been verified.
It is possible to manage enforcement at the account-level instead of the role-level. It is also possible to override the role-level enforcement for an individual thus allowing temporary exemptions as needed.
Session Duration
Once a user is authenticated (i.e. after a successful login), they have a "session" which is logged as a visit on their profile.
This section allows you to define how quickly these sessions will expire after a period of inactivity in the web browser (e.g. 90 minutes).
When a session is about to expire due to inactivity, they will receive a warning along with a 60-second countdown. They can choose to continue their session, logout or let their session expires.
Once a session expires, the user will be taken to a "Session Expired" page. If the user wishes to start a new session, they need only press "OK". If the automatic login feature is enabled, as described below, the user typically does not need to go through the login process again. If not, the user will be prompted to login. In either case, the user is returned to the page that was being visited prior to their session expiring.
Session duration can be set uniquely for Panelists and Administrators (i.e. Analysts, Moderators and Clients).
Account Security
Brute force attacks are a way of gaining unauthorized access by attempting multiple common passwords on a single account. Such attacks can be prevented by locking accounts after a certain number of failed login attempts.
This section allows you to define the threshold for an account lockout and the duration of a lockout. You can also select one or more administrators to be notified when an account gets locked.
Once an account is locked, it can be unlocked by the affected user by performing a password reset. Analysts can also unlock an account on the Edit Panelist or Edit Admin page of the affected user.
Social Site Integration
Recollective integrates directly with popular online social sites to streamline the user registration and user authentication flow. Usability is improved by ensuring participants don't need to remember yet another account password.
Use this section to enable integration with one or more of the available services:
Once enabled, these services will appear on the login and registration forms of the site. They will also appear on the personal Account Settings page to allow existing Panelists to link their account to one or more of the enabled services. Linked profiles can be shared in-Study via the Privacy section of Study Settings.