Security Settings

Recollective includes a number of important and security capabilities. Please contact us if you would like to receive a comprehensive review of Recollective's security and privacy related features.

Basic Recommendations

A number of security features can be controlled by site administrators. The two most basic considerations relate to user's passwords. 

We recommend the following best practices:

  • Have participants choose their own passwords or at least force them to change the password provided upon their first visit.
    • Participants are more likely to remember their password if they created it themselves.
    • Assigning the same password to all participants can be a good backup for potential login issues at the outset of the study, but it can increase the risk of unauthorized user access. Make sure that participants are required to change their password after their first successful login to strengthen their account security.
  • Never include passwords in email as emails are sent in plain text and will persist in the participant's inbox for quite some time.
    • If the passwords are not temporary, avoid sending participants their password over email. 

Advanced Security Options

The following security options are also configurable for a site in the  Site Administration area under Settings: Account SettingsDue to usability concerns, we don't recommend enabling all security options at once

Enforce use of two-factor authentication (by role)

Two-Factor Authentication (2FA) adds an extra layer of security to an individual account by requiring a single-use code every login. Typically, a mobile phone app is used to generate a unique 6 digit code every 60 seconds, which can then confirm that the individual attempting to login is indeed the account owner. Individuals using 2FA must have a Recollective account and a second device.
2FA is permitted for all Recollective accounts for additional security by navigating to one’s personal account settings. It can also be enforced for select account types in Settings: Account Settings. We do not recommend enforcing 2FA for participants unless they are all familiar with using two-factor authentication. 

Enforce greater password complexity

You can configure Password Rules to define an acceptable password for Recollective accounts. Enabling more password rules can increase password complexity for higher account security. The following options are available:
  • Require a minimum length of password (e.g. 6 characters)
  • Make passwords case sensitive
  • Require at least one uppercase (A-Z) and one lowercase letter (a-z)
  • Require at least one digit (0-9)
  • Require at least one symbol (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
  • Force passwords to be changed periodically (password expiry)
Password rules are defined separately for Panelist accounts and Administrator accounts. Please note, newly added rules will only apply to new or updated passwords, not existing ones.

Block re-use of past passwords

Password Expiry can be enabled under Password Rules and forces accounts to change their password periodically. If periodic password expiry is enabled, various additional options become available:
  • Period of time until password expiry 
  • Number of days before password expiry to send a warning email that a new password must be soon be selected
  • Number of days after password expiry that the current password can be used a final time to enter (the user will be immediately prompted to select a new password)
  • Period of time before previous account passwords can be re-used (e.g. 12 months)
Increasing the period of time before passwords can be reused can encourage password variety and reduce the risk of account security breaches.

Reduce the idle time required before a session expires

The Session Duration controls when a user must login again after a defined period of inactivity (in minutes). Decrease the number of minutes for a session to reduce the likelihood of unauthorized access to a user’s account if they forget to logout. Session duration is uniquely defined for Panelists and Administrators.

Disable use of “Remember Me” on login

The Remember Me option allows users to re-enter the site on the same device without needing to login again. It tells the platform that the current browser and device is trusted and can make login easier for users. This in turn may heighten the risk of account login by an unauthorized user. 
Turning off the toggle switch will prevent all account types from using it. If you only need to disable it for a specific account type (Panelist or Administrator), set the number of days to 0. 

Lock accounts after fewer failed login attempts

Numerous failed login attempts in succession may signal that someone is trying to gain unauthorized access to an account. Under the Account Security section, you have the option of setting limits for the number of failed login attempts before the account is locked. The following options are available:
  • The number of failed login attempts before lockout
  • The period of time lockout will last 
  • Administrators to be notified when an account is locked
When an account is locked, it can be unlocked by performing a password reset or having an Analyst manually unlock the affected user’s account. Reducing the number of failed login attempts can discourage unauthorized users from forcing access to the account. 

Notify multiple administrators when accounts get locked

Select multiple Analysts to be notified of a locked account. This helps to inform administrators which accounts may be at risk so they can take action as soon as possible. For example, notifying the account owner and asking them to change their password, or enforcing two-factor authentication. This option can be configured under Account Security

Disable automatic login on emailed broadcasts

All email broadcasts will contain a specialized link allowing automatic login to your Recollective site. Consider disabling this feature before sending email broadcasts to prevent unauthorized users from having instant access.
To disable automatic login for specific email broadcasts, simply turn off the automatic login toggle switch before previewing your message. To disable automatic login for all email broadcasts from the platform, navigate to Settings: Email Notifications and turn off the automatic login toggle switch located under the “Email Broadcast” section. 
🗣️ Still have questions? Contact us or leave us some feedback on how we can do better!
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.