In this policy, you can configure the settings to add default repository and ensure not to disclose valid username for malicious attack.
This policy allows you to configure the following settings:
Default repository: You can add repositories that are used as default repositories. Therefore while logging in, you need not prefix the repository name before the username for authentication.
For example, if pjones is a member of the company repository, then while logging in, instead of specifying company\pjones, you can specify only pjones.
To add a repository as default, move the repository from Available to Default and click Save.
Username disclosure: This option is set to OFF by default. It is recommended to keep default setting to prevent security vulnerabilities and to make it difficult for hackers to predict the valid username.
If you set Username disclosure to ON and a user specifies an invalid username on the Advanced Authentication login page, an error message User not found is displayed. When the user specifies a valid username, the associated chain details are prompted to confirm the specified username and disclosing valid username. This can cause security vulnerability making it easy for attackers to guess the valid username.
When this option is set to OFF, chain details are displayed instead of error message even though a user specifies an invalid username on the login page. A user can select a preferred authentication method. If the input data specific to the selected method is incorrect, a generic message Invalid credentials is displayed. This does not disclose whether username or first-factor authentication is incorrect.
For example, a user specifies an invalid username, selects the SMS OTP method from the authentication chain. In this case, the SMS with OTP is not sent to the user. If the user specifies some random 6 digit as OTP, the server prompts an error message Incorrect OTP password. This helps the user to determine that specified username is valid though it is invalid.
LDAP caching: This option allows you to enable or disable the caching of a user’s information on the Advanced Authentication server. This information can be the lockout status of users, whether users have been disabled, or about the expiry of a user's password.
By default, the option is set to OFF. This indicates that the Advanced Authentication server communicates with the LDAP server each time to check a user's information. You can enable the option to allow the caching of a user’s information. Enabling the option increases the performance and cache the user’s information for 5 minutes. However, it may also lead to security vulnerabilities. Therefore, it is recommended to set the option to OFF.
Email as login name: This option enables the user to use Email address as the login name.
By default, the option is set to OFF. Once you set this option to ON, the user can authenticate by specifying user’s Email address in login name without specifying the tenant or repository name. When the user specifies the Email address, Email attributes in the repository is matched against the domains configured for the tenant to identify the tenant.
You can specify the domain names in the Login domains field so that the Advanced Authentication allows the specified domain users to log in with their email address if Email as login name option is enabled.
NOTE:The Email as login name and Login domains options are available when you enable Multitenancy Options policy.
Logon timeout (seconds): You can set the maximum duration of the logon session in this field. If a user fails to specify the login credentials within the specified duration, the session gets terminated. This value applies to all web-based authentication sessions. By default, the value is set to 900 (15 minutes).
NOTE:The Logon timeout (seconds) and Logon inactivity timeout (seconds) options are supported only in the Advanced Authentication as a Service (SaaS) model. In the on-premises model of Advanced Authentication, these options will be available in the upcoming 6.3 Service Pack 7 release.
For example, A user must specify LDAP Password and SMS OTP to authenticate to a web application. The Logon timeout is set to 180 seconds (3 minutes).
The user action and equivalent outcome are as follows:
A user specifies the LDAP Password and waits for SMS OTP. Later, the user enters the OTP within 2 minutes. The authentication is successful.
A user specifies the LDAP Password and waits for SMS OTP. Later, the user enters the OTP after 3 minutes. The authentication fails.
Logon inactivity timeout (seconds): You can set the maximum inactivity timeout of the logon session in this field. If there is no action from the user within the specified duration, the session gets terminated. This value applies to all web-based authentication sessions. By default, value is set to 300 (5 minutes).
NOTE:While authenticating with the Password and LDAP password methods, the user can enter the password within the Logon timeout duration. The Logon inactivity timeout does not apply to these methods.
For example, A user must specify LDAP Password and Smartphone to authenticate to a web application. The Logon inactivity timeout is set to 30 seconds.
The user action and equivalent outcome are as follows:
A user specifies the LDAP Password and waits for the push notification on the smartphone. There is an action at 30 seconds intervals then the user accepts the push notification within the Logon timeout duration. The authentication is successful.
A user specifies the LDAP Password and waits for the push notification on the smartphone. There is no action at 30 seconds interval and accepts the push notification at the 31st second. The authentication fails.