Skip to main content

HelloID

Sign-on policies

2022-10-21_14-17-52.jpg

Sign-on policies are global login policies for your HelloID environment.

To get started, go to Security > Policies > Sign On Policies, and configure the follow options.

Lock User After Number Of Invalid Password Entries

Disable user accounts after too many incorrect password entries. This helps prevent brute-force attacks against accounts in your environment.

Lock User After Invalid Password Count

The number of incorrect entries before a user account is disabled, when Lock User After Number Of Invalid Password Entries is turned on.

Unlock User After Specified Amount Of Time

Automatically re-enable user accounts after a specified amount of time. When turned off, you must manually re-enable accounts (see Enable a user).

Lock Time (Minutes)

The duration in minutes until accounts are automatically re-enabled, when Unlock User After Specified Amount Of Time is turned on.

Change Password After Specified Amount Of Time

Force all users to change their password on a regular interval.

Change Password Time (Days)

The interval in days at which users must change their passwords, when Change Password After Specified Amount Of Time is turned on.

User Session Timeout (Minutes)

The number of minutes each user session lasts. Users must log in again after each interval.

Fixed Session Timeout Instead Of Sliding

When disabled, the User Session Timeout setting starts after the user's last click (monitored by cookies). When enabled, the session timeout starts immediately when the user logs in.

Always Show Login Selector Page

Always show the IdP selection screen when users log in.

2022-10-21_15-21-35.jpg
Enable QR Login

See Enable QR code login.

2022-10-21_15-06-28.jpg
QR Login Allowed IP Addresses

Specify the IP address and/or IP ranges for which QR code login is allowed. If no IP addresses are entered, all IPs are allowed. Only has an effect when Enable QR Login is turned on.

Show QR Login On Login Selector Page

Show the QR login option on the IdP selection screen. Only has an effect when Enable QR Login is turned on.

2022-10-21_15-05-10.jpg
Allow Self Service Enrollment For MFA Via E-mail

When enabled, and you have a portal access rule (see Portal access rules) configured with the 2FA fixed Use Private Email option, users can specify a custom email address for 2FA the first time they log in. This address is saved to a custom user attribute named privateEmail (see Custom user attributes). When disabled, users cannot specify a custom email address for 2FA and instead must use the email address specified in the Email field of their HelloID user object.

Warning

This feature is deprecated, and is for backwards compatibility only. We recommend using dynamic 2FA instead, which includes this functionality (and does not depend on this toggle). See Fixed vs. dynamic 2FA.

Enable Remember Me For End Users

Shows the Remember My Login On This Computer checkbox on the HelloID login screen, which will autofill the user's username when they log out and log in again. Note that this setting is separate from the Remember MFA setting.

2022-10-21_15-22-42.jpg
2022-10-21_14-53-35.jpg
Number Of Days The End User Is Remembered

The number of days that usernames are remembered, if Enable Remember Me For End Users is enabled.