Servitly provides a number of options that allow you to configure how your users will manage account preferences and security.
Within the Access and Security / Account page, you can configure the following security options.
User login
In case you have configured an OAuth based plugin (e.g. OpenID, Sales Force), you can define whether the login page is the Servitly one or use only the remote one.
Invalid access prevention
To prevent brute-force logins, by default, the DPS login page uses reCAPTCHA v3, and after 5 consecutive failed logins, the user is prompted for a reCAPTCHA v2 (I'm not a Robot) challenge.
To improve access security, it is possible to disable the account for 30 minutes in case of 10 consecutive failures.
Also, you can reduce the sensitivity of reCAPTCHA v3 to minimize the number of times the challenge is displayed. The reCAPTCHA v3 score depends on several factors and should be tested to find the best configuration for your DPS.
Although possible, it is recommended not to completely deactivate the reCAPTCHA functionality.
By default, DPS remembers the user who logged in; thus, you do not need to log in again each time you access the application on the browser or mobile app. Optionally, you can define to force login on a fixed basis, such as every 10 days.
Inactivity and Suspension
Selecting "Enable inactive account suspension" allows you to specify the number of months of user inactivity after which the account is automatically suspended. Inactivity means that the user is no longer accessing the application.
A user whose account is suspended cannot perform any new login, and must request the OEM back-office to reactivate it.
Inactive users are notified in advance and when the suspension takes place. You can edit all suspension related messages in the Messages page.
Refresh Token Duration
In this section you can specify the duration of the refresh token in minutes.
The refresh token is required to obtain a new JWT token, that must be periodically renewed in order to make API requests.
An empty value means that the refresh token never expires, so even if the user leaves the DPS page and returns after a few days, it is immediately registered again.
Otherwise, if you specify a duration, for instance 120 minutes, the user must log in again after that period of inactivity.
Password security
Although passwords are encrypted and known only by the users who entered them, it is a good practice to force such passwords to meet certain validation criteria.
The DPS requires that the entered password must be 8 characters or longer and must include at least: 1 lowercase letter, 1 uppercase letter, 1 number, 1 special character (e.g. #$?).
In addition, you can avoid the usage of public information, like the user's first name, user's last name, e-mail or the name of the application (e.g. John$1980).
And moreover, you can also prevent the usage of dictionary words (e.g. Password, Qwerty).
Even if these two boxes are not checked, DPS warns the user if the entered password is weak.
Authorizations
You can define which is the default thing-authorization when a new user is invited to a customer. In this way, you can define whether the new user can see all the customer's products or none by default.
Comments
0 comments
Please sign in to leave a comment.