Security settings
Where to find the settings
Security settings apply to your tenant and control how users sign in and what rules apply to passwords.
Navigation in the portal: Configuration → Global → Tenant Configuration → Security settings
The overview is split into three subsections: Password policy, 2-factor authentication (2FA), and Brute-force detection. Use the edit action to open Edit security settings. Save your changes in the dialog; after a successful save you will see a confirmation.
Note: Only users who are allowed to manage tenant settings (tenant management write permission) can change security settings.
Password policy
Here you define how strong passwords must be and how often they must be changed.
| Topic | What it means in practice |
|---|---|
| Password expiration in days | After this many days, users must set a new password. |
| Password length | Minimum number of characters for a valid password. The portal enforces a minimum length of 12 characters. |
| Special characters / digits / upper and lower case | Minimum count of each character type in the password, so passwords cannot be too simple. |
| Password history | Number of recent passwords that may not be reused. This reduces recycling of old passwords. |
These rules apply tenant-wide for the relevant portal sign-ins for Users that don't use SSO.
2-Factor Authentication (2FA)
You can enable or disable two-step sign-in for your tenant.
- Enabled: Users must use a second factor (for example an authenticator app) in addition to their password.
- Disabled: Mandatory 2FA at tenant level is not enforced via this setting.
Brute force detection
Brute force detection reduces risk from automated or repeated sign-in attempts with wrong credentials. You configure when the system reacts and how (for example wait time or lockout).
Brute force mode
| Topic | What it means in practice |
|---|---|
| Disabled | No tenant-specific brute-force behaviour from this configuration. |
| Temporary lockout | After a defined number of failed sign-ins, a time-limited lockout or wait applies. Users can sign in again after the period ends. |
| Permanent lockout | After the configured number of failures, access is locked until it is cleared again. |
| Permanent after temporary lockout | Temporary lockouts apply first. If a user exceeds the limit of temporary lockouts you set, the account moves to permanent lockout. |
Further parameters (shown depending on mode)
Topic | What it means in practice |
|---|---|
Failure factor | How many failed sign-in attempts trigger the protection. |
Brute force strategy | (for temporary lockout or hybrid mode): How wait times increase after failures — for example linear (steady increase) or multiple (stronger increase). |
Wait increment / Max failure wait / Max delta time | Control how long users wait and the time window in which failed attempts are counted together. Business rule: The time after which failed attempts are reset for counting (maximum delta time) must be greater than the maximum wait after failure. Otherwise the configuration cannot be saved. |
Quick login check milliseconds | Extra protection against very rapid repeated attempts (typical of automated guessing). |
Which fields appear in the edit dialog depends on the selected mode (for example, pure permanent lockout hides strategy and some wait-time fields).
Updated 2 days ago