Security Settings
Recollective includes a number of important and security capabilities. Please contact us if you would like to receive a comprehensive review of Recollective's security and privacy related features.
Basic Recommendations
A number of security features can be controlled by site administrators. The two most basic considerations relate to user's passwords.
We recommend the following best practices:
- Have participants choose their own passwords or at least force them to change the password provided upon their first visit.
- Participants are more likely to remember their password if they created it themselves.
- Assigning the same password to all participants can be a good backup for potential login issues at the outset of the study, but it can increase the risk of unauthorized user access. Make sure that participants are required to change their password after their first successful login to strengthen their account security.
- Never include passwords in email as emails are sent in plain text and will persist in the participant's inbox for quite some time.
- If the passwords are not temporary, avoid sending participants their password over email.
Advanced Security Options
The following security options are also configurable for a site in the Site Administration area under Settings: Account Settings. Due to usability concerns, we don't recommend enabling all security options at once
- Enforce use of two-factor authentication (by role)
- Enforce greater password complexity
- Block re-use of past passwords
- Reduce the idle time required before a session expires
- Disable use of Remember Me on login
- Lock accounts after fewer failed login attempts
- Notify multiple administrators when accounts get locked
- Disable automatic login on emailed broadcasts
Enforce use of two-factor authentication (by role)
Learn about
Two-Factor Authentication.
Two-Factor Authentication (2FA) adds an extra layer of security to an individual account by requiring a single-use code every login. Typically, a mobile phone app is used to generate a unique 6 digit code every 60 seconds, which can then confirm that the individual attempting to login is indeed the account owner. Individuals using 2FA must have a Recollective account and a second device.
2FA is permitted for all Recollective accounts for additional security by navigating to one’s personal account settings. It can also be enforced for select account types in Settings: Account Settings. We do not recommend enforcing 2FA for participants unless they are all familiar with using two-factor authentication.
Enforce greater password complexity
You can configure
Password Rules to define an acceptable password for Recollective accounts. Enabling more password rules can increase password complexity for higher account security. The following options are available:
- Require a minimum length of password (e.g. 6 characters)
- Make passwords case sensitive
- Require at least one uppercase (A-Z) and one lowercase letter (a-z)
- Require at least one digit (0-9)
- Require at least one symbol (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
- Force passwords to be changed periodically (password expiry)
Password rules are defined separately for
Panelist accounts and
Administrator accounts. Please note, newly added rules will only apply to new or updated passwords, not existing ones.
Block re-use of past passwords
Password Expiry can be enabled under Password Rules and forces accounts to change their password periodically. If periodic password expiry is enabled, various additional options become available:
- Period of time until password expiry
- Number of days before password expiry to send a warning email that a new password must be soon be selected
- Number of days after password expiry that the current password can be used a final time to enter (the user will be immediately prompted to select a new password)
- Period of time before previous account passwords can be re-used (e.g. 12 months)
Increasing the period of time before passwords can be reused can encourage password variety and reduce the risk of account security breaches.
Reduce the idle time required before a session expires
The
Session Duration controls when a user must login again after a defined period of inactivity (in minutes). Decrease the number of minutes for a session to reduce the likelihood of unauthorized access to a user’s account if they forget to logout. Session duration is uniquely defined for Panelists and Administrators.
Disable use of “Remember Me” on login
The
Remember Me option allows users to re-enter the site on the same device without needing to login again. It tells the platform that the current browser and device is trusted and can make login easier for users. This in turn may heighten the risk of account login by an unauthorized user.
Turning off the toggle switch will prevent all account types from using it. If you only need to disable it for a specific account type (Panelist or Administrator), set the number of days to 0.
Lock accounts after fewer failed login attempts
Numerous failed login attempts in succession may signal that someone is trying to gain unauthorized access to an account. Under the
Account Security section, you have the option of setting limits for the number of failed login attempts before the account is locked. The following options are available:
- The number of failed login attempts before lockout
- The period of time lockout will last
- Administrators to be notified when an account is locked
When an account is locked, it can be unlocked by performing a
password reset or having an Analyst manually unlock the affected user’s account. Reducing the number of failed login attempts can discourage unauthorized users from forcing access to the account.
Notify multiple administrators when accounts get locked
Select
multiple Analysts to be notified of a locked account. This helps to inform administrators which accounts may be at risk so they can take action as soon as possible. For example, notifying the account owner and asking them to change their password, or enforcing two-factor authentication. This option can be configured under
Account Security.
Disable automatic login on emailed broadcasts
All email broadcasts will contain a specialized link allowing automatic login to your Recollective site. Consider disabling this feature before sending email broadcasts to prevent unauthorized users from having instant access.
To
disable automatic login for specific email broadcasts, simply turn off the automatic login toggle switch before previewing your message. To disable automatic login for all email broadcasts from the platform, navigate to
Settings: Email Notifications and turn off the automatic login toggle switch located under the “Email Broadcast” section.