Security is at the heart of Nervepoint Access Manager, not only does it provide a plethora authentication modules it also has a number of other security related features throughout the application. This article brings together the key security options to help you keep your end users and business secure.
Multi-factor Authentication
Authentication allows users to access the system, on installation the default authentication factor used throughout the application is Questions and Answer authentication. This can be enhanced by either replacing this across one or all functions or extend this to use multi-factor authentication using Nervepoint Access Managers simple visual authentication flow editor. For more information refer to the Authentication Basics article.
Security Configuration
The Security tab is located under Configuration tab and holds some key security configuration items that are well worth a look.
From here you can configure the following security settings in the three sections:
- Admin Password: the admin credentials used for Nervepoint Access Manager which should be regularly changed
- Unlock account when locked: When a user attempts to login with a username that has already been locked they will automatically be directed to the Account Unlock page
- Update account before unlock: When enabled, the account will be updated prior to being unlocked ensuring that fresh details are being used
- Set Change Password At Next Login: When enabled any passwords that are reset will be temporary and must be changed the next time that the user logs in
- Unlock account on password reset: When enabled Access Manager will attempt to unlock the user's account as part of the Password Reset process
- Update account before reset: When enabled the user accounts will be updated before password ensuring that fresh details are used
- Multiple Password Change mode: Sets the behaviour of Password Reset and Account Unlock options when handling linked accounts, Automatic allows users to choose if the action is occur on all linked accounts one a specific one, Always forces all linked accounts to always be updated, Never forces the user to always choose one specific account
- Default password for Administrative reset: Sets the default password that will be used when the Access Manager admin performs a Password Reset for a user account
- Allow Password Change In User Portal: Enabled by default. If you wish for the "Change Password" option to not be displayed in the user portal, so thereby not allow users to use the "Change Password" feature, simply uncheck.
- Number of failed attempts before disable: this sets how many times a user can incorrectly attempt to access their account before being locked out. This works across all self service actions and the user is presented with a generic error.
- Failed attempt time to live: this is the duration a user must wait before the system will accept any further authentication attempts from the user
- Session timeout: this defines the session time for an inactive user. For example if an admin or user does not use the application, despite being logged in, for more than 600 seconds the system will automatically log them out. Decrease this value if you want to logout inactive users quicker.
- Secret encryption mode: all answers for all authentication factors are one-way encrypted, this can be changed to two-way but becomes insecure. Two-way encryption is useful if you wish your end users to see their answers whenever they log into their My Account page by enabling the Show the Answers on Screen checkbox. This might make things more user-friendly but is recommended you do not change this and leave it as One-way hashes.
SSL Configuration
The SSL tab under Configuration enables the configuration of certificates and ciphers used by Nervepoint Access Manager. By default Nervepoint Access Manager uses nothing less than 128bit certificates or ciphers.
From this page you can:
- Administer the SSL Certificate that will be used
- Disable the insecure SSLv2 cipher. SSLv2Hello is used for compatibility issues with some browsers.
- Add or remove the list of ciphers
Secure Remote Access
From the Remote Access tab remote access can be configured for both mobile and desktop. In the simplest form you can allow all networks to connect however this should only be used in a testing state, once in production it is highly recommended remote access is restricted.
The image above shows the Remote Access configuration page. From here you can use the API Allowed Networks option to enter an IP range to limit mobile access, it is recommended that only the range of internal network designated for desktop integration is entered here. For more information on configuring the desktop MSI component refer to the following, for Windows Vista and above, or Mac OS X.
Mobile Access
Access Manager mobile access is now provided by a mobile interface and platform specific applications. The iPhone app can also be configured from the same page by expanding the iPhone Access at the bottom of the page.
The security settings that can be configured are:
- Require email address: an email will be sent to connecting users at the time of registration. The email is taken from Nervepoint Access Manager, read in from your AD.
- Allowed Email Domains: you may have more than one email domain in which case you should list the allowed domains in the list box to the right. Any email with a domain outside of this list cannot register their mobile app.
Disabling Self Service Options
In addition to disabling the administration portal access link from the web-portal as described earlier in the article Nervepoint Access Manager allows an administrator to remove any self service option from the web, mobile or desktop front-end from the Setup tab under Authentication.
This provides the admin an even finer level of control over what the end user can see and do. Much like authentication configuration this works across any front-end, web, desktop or mobile independently. Simply un-check the self service option you do not wish end users to perform such as Account Unlock. This will instantly disappear from the highlighted front-end.
This article has highlighted a number of ways in which you can further enhance the security of you Nervepoint Access Manager install and your business.
