Security Settings
Security Settings allow administrators to configure authentication and session management policies for the training management system. These settings help maintain system security and control user access patterns.
Overview
The Security Settings page provides centralized control over key security features including two-factor authentication requirements and login session duration. These settings apply to all users in the system and help maintain compliance with organizational security policies.
Accessing Security Settings
- Navigate to Options: Click the Options button from the main navigation menu
- Select Security Settings: Click on Security Settings from the Company Options section in the sidebar
Available Security Settings
Require Two-Factor Authentication
Purpose: Controls whether all users must use two-factor authentication to access the system.
Configuration:
- Toggle Switch: Use the YES/NO switch to enable or disable the requirement
- Default: Disabled (NO)
- When Enabled: All users will be required to use two-factor authentication via email to login
How Two-Factor Authentication Works:
- User enters username and password
- System sends verification code to user's registered email address
- User must enter the verification code to complete login
- Access is granted only after both password and email verification are successful
Important Considerations:
- Email Requirements: All users must have valid email addresses configured
- Implementation: Communicate the change with advance notice to users
- Support Impact: Prepare help desk for increased authentication-related questions
- Emergency Access: Ensure system administrators can assist users who lose email access
Login Expiration (Days)
Purpose: Defines how long user login sessions remain active before requiring re-authentication.
Configuration:
- Range: 1 to 365 days
- Default: 30 days
- Input Method: Numeric field with validation
How Login Expiration Works:
- Sessions automatically expire after the specified number of days
- Users must log in again once their session expires
- Sliding expiration means the timer resets with each user activity
- Expired sessions redirect users to the login page
Recommended Settings:
- High Security Environments: 1-7 days
- Standard Business Use: 30 days (default)
- Convenience-Focused: 90-180 days
Testing Two-Factor Authentication
Before full implementation, it's recommended to test the functionality with a test user.
Pre-Implementation Testing Process
-
Prepare Test User Account:
- Identify a test user account with a valid email address.
- Ensure the test user can logout, login again, and receive emails at the registered address.
- Have the test user log out completely from the system using the Logout option from their profile menu in the upper right corner of the site.
-
Enable Two-Factor Authentication:
- As an administrator on a separate computer, navigate to Options > Security Settings.
- Toggle the "Require Two-Factor Authentication" switch to YES.
- Click Save to apply the setting.
-
Test Login Process:
- Have the test user attempt to log in with their username and password.
- Verify that the system prompts for an email verification code.
- Check that the verification email is received in the test user's inbox.
- Confirm the test user can successfully complete login using the verification code.
-
Post-Test Decision:
- Keep Enabled: If testing is successful, leave two-factor authentication enabled and notify all users.
- Disable for Later: If issues are found, toggle the setting back to NO until problems are resolved.
Testing Checklist
- Test user has valid email address configured
- Test user completely logged out before testing
- Two-factor authentication enabled by administrator
- Verification email received by test user
- Login completed successfully with verification code
- Decision made to keep enabled or disable temporarily
Security Best Practices
Two-Factor Authentication
When to Enable:
- Organizations with sensitive training data
- Companies with compliance requirements
- High-risk user environments
Implementation Tips:
- Communicate early: Notify users well in advance
- Provide training: Ensure users understand the new process
- Test thoroughly: Verify email delivery works for all users
- Plan for exceptions: Have a process for users without email access
Login Expiration
Factors to Consider:
- User convenience: Shorter periods require more frequent logins
- Security requirements: Sensitive environments need shorter sessions
- Usage patterns: Consider how often users access the system
Impact of Changes
Two-Factor Authentication Changes
Enabling Two-Factor Authentication:
- Immediate Effect: All future logins require email verification
- Existing Sessions: Current logged-in users remain active until normal expiration
- Email Requirements: All users must have email addresses to login
Disabling Two-Factor Authentication:
- Immediate Effect: Future logins only require username/password
- No Impact: on existing sessions or user accounts
Login Expiration Changes
Shorter Expiration Period:
- Existing Sessions: Continue with their original expiration time
- New Sessions: Use the new shorter duration
- User Impact: More frequent login requirements
Longer Expiration Period:
- Existing Sessions: Continue with original expiration
- New Sessions: Use the new longer duration
- Security Impact: Longer exposure window for compromised credentials
Troubleshooting
Common Issues
Two-Factor Authentication Problems:
- Email not received: Check spam folders, verify email addresses
- Code expired: Verification codes expire after 10 minutes
- Multiple codes: Only the most recent code is valid
Login Expiration Issues:
- Unexpected logouts: Check if expiration period was recently shortened
Support Considerations
User Communication:
- Send advance notice before enabling two-factor authentication
- Provide clear instructions for the new authentication process
- Create documentation for common user questions
- Train support staff on security setting changes
Changes to security settings affect all users for new login sessions. Communicate changes to users in advance.