Other Settings
      Back to home
      1. Knowledge Base Home
      2. Administration
      3. Other Settings

      Security administration

      Learn how to manage user-related security settings within 6clicks

      6clicks provides several mechanisms to secure user access within your tenant.  You can adjust the following security settings within the administration settings module:

      To access these administrative settings, navigate to Administration > Settings and then click on the Security tab.

      adminsettingssecurity

      Password Complexity

      Use default settings:  Sets the password complexity to the recommended default settings:  8 character minimum, requires digit, requires lowercase, requires non-alphanumeric, requires uppercase
      Require digit: Requires that a digit or number be used in the password
      Require lowercase: Requires that at least one lowercase letter be used in the password
      Require non alphanumeric: Requires that at least one non-alphanumeric or special character be used in the password
      Require uppercase: Requires that at least one uppercase letter be used in the password

      Required length: Enter the password length you require your users to use when creating and using a password

      Custom disclaimer

      Information on adding a personalized disclaimer to your login page can be found here.

      User lockout

      The settings in this section delineate how, when, and for how long accounts can be set to be locked out. 

      As the Enable user account locking on failed login attempts setting indicates, accounts can be set to lock after failed login attempts. It is recommended to always enable this setting.

      Once enabled, you can select the number of maximum failed login attempts that will lockout the account. You can also specify the type in seconds that that the lockout should last. We recommend leaving these as the default.

      Note: If a user is deactivated or locked out, an administrator can re-activate/unlock them from the user administration screen.

      The Max days of user inactivity before deactivating setting can be used by administrators to automatically deactivate users who have not logged in for the specified period. The setting is applicable to all users, including those configured for SSO.

      To make sure that certain "break glass" or administrator accounts are always accessible, you have two settings that you can review and set when administrating a user:

      • To make sure the account cannot be deactivated, select and edit the user in Administration > Users and check the setting Do not deactivate when inactivity period reached (if configured).
      • To prevent the account from being locked out, uncheck Enable lockout if too many failed logins. You should set very strong passwords and enable MFA for such accounts.  

      Note: 

      The "Max days of user inactivity" setting will work when SSO is enabled for a user. However, the "User lockout" setting does not apply because this is controlled by the SSO provider.

      Multi-Factor Authentication

      Multi-factor authentication (MFA) is enabled by default.

      There are two steps in the login flow where MFA can be selectively enabled or disabled:

      • After entering an email address, but prior to seeing a list of teams associated with that email. This is necessary as the list of accessible teams is considered sensitive.
      • When logging in to the selected team after submitting an email address and password.

      Note that the second setting is not applicable for tenants with SSO enabled, as MFA will be handled by the identity provider in that case.

      With MFA enabled for the tenant, it can be further configured per user. More information can be found here.