Security Settings

Two-Factor Authentication (2FA) adds an extra layer of security to an individual account by requiring a single-use code every login. Typically, a mobile phone app is used to generate a unique 6-digit code every 60 seconds, which can then confirm that the individual attempting to log in is indeed the account owner. Individuals using 2FA must have a Recollective account and a second device.

2FA is permitted for all Recollective accounts for additional security by navigating to one’s personal account settings. It can also be enforced for select account types in Settings: Account Settings. We do not recommend enforcing 2FA for participants unless they are all familiar with using two-factor authentication. 

You can configure Password Rules to define an acceptable password for Recollective accounts. Enabling more password rules can increase password complexity for higher account security. The following options are available:

• Require a minimum length of password (e.g. 6 characters)
• Require at least one uppercase (A-Z) and one lowercase letter (a-z)
• Require at least one digit (0-9)
• Require at least one symbol (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
• Force passwords to be changed periodically (password expiry)

Password Expiry can be enabled under Password Rules, and forces accounts to change their password periodically. If periodic password expiry is enabled, various additional options become available:

• Period of time until password expiry 
• Number of days before password expiry to send a warning email that a new password must be selected soon
• Number of days after password expiry that the current password can be used a final time to enter (the user will be immediately prompted to select a new password)
• Period of time before previous account passwords can be reused (e.g. 12 months)

The Session Duration controls when a user must log in again after a defined period of inactivity (in minutes). Decrease the number of minutes for a session to reduce the likelihood of unauthorized access to a user’s account if they forget to log out. Session duration is uniquely defined for Panelists and Administrators.

Numerous failed login attempts in succession may signal that someone is trying to gain unauthorized access to an account. Under the Account Security section, you have the option of setting limits for the number of failed login attempts before the account is locked. The following options are available:

• The number of failed login attempts before lockout
• The period of time the lockout will last 
• Administrators to be notified when an account is locked

When an account is locked, it can be unlocked by performing a password reset or having an Analyst manually unlock the affected user’s account. Reducing the number of failed login attempts can discourage unauthorized users from forcing access to the account. 

Select multiple Analysts to be notified of a locked account. This helps to inform administrators which accounts may be at risk so they can take action as soon as possible. For example, notifying the account owner and asking them to change their password, or enforcing two-factor authentication. This option can be configured under Account Security.