Sign On Policies are global policies that allow you to manage the login security of your HelloID environment. You may configure settings such as how many invalid login attempts will lock out a user, or how long a session lasts before a user must log in again.
To configure your organization's HelloID Sign On Policies, navigate to Security > Policies > Sign on policies.
The following settings are available for configuration:
- Lock user after number of invalid password entries
Enable or disable the option to lock user accounts after entering a number of invalid password entries. This helps prevent brute-force attacks against accounts in your environment.
- Lock user after invalid password count
Specify how many invalid entries a user can make prior to being locked out.
- Unlock user after specified amount of time
Enable or disable the option to unlock a user account after a specified amount of time. If you disable this option, an administrator must manually unlock an account if it has been locked out.
- Lock time (minutes)
Specify the lock time in minutes. This is only applicable if you enable Unlock user after specified amount of time.
- Change password after specified amount of time
Enable or disable the option to force users to change their password after a specified amount of time.
- Change password time (days)
Specify the number of days, after which, a user must reset their password. This is only applicable if you enable Change password after specified amount of time.
- User session timeout (minutes)
Specify after how many minutes a user's logon session will expire. After expiring, the user will need to log back into your HelloID portal.
- Fixed session timeout instead of sliding
Normally, HelloID automatically times out users based upon a set duration after the user's last click (monitored by cookies). By enabling this option, HelloID's automatic timeout will occur at a fixed interval (set in the User Session Timeout field) after the user's first action in the portal. For example—with a 30 minute session timeout—if a user logs in at 3:00pm, they will automatically be logged out at 3:30pm.
- Always show login selector page
Enable or disable the selector page on the login screen.
- Enable QR-login
Enable or disable the option to login with QR codes. Learn more about QR codes here.
- QR-login allowed IP addresses
Specify the IP addresses from where users are allowed to log in with QR codes.
- Show QR-login on login selector page
Show the QR-login option on the selector page.
- Allow self service enrollment for MFA via e-mail
When this toggle is enabled and your two-factor Portal Access Rule is set to Use Private Email, users can specify a custom email address for 2FA the first time they log in. This address is saved to a custom user attribute named privateEmail. When this toggle is disabled, users must use the email address specified in the Email field of their HelloID user object for Use Private Email 2FA. NOTE: This feature is deprecated and for backwards compatibility only. Use the Let the user choose their MFA option for email 2FA instead, which includes this functionality (and does not depend on this toggle).
- Enable remember me for end users
Enables a "Remember my login on this computer" check box on the HelloID portal login page. This setting is independent from the Remember MFA setting in 2FA Management.
- Number of days the end user is remembered
Specifies the number of days the user stays logged in, if the above check box is enabled.