Logon and password security and time out

The logon settings allow the System Administrator to manage the number of logon attempts allowed, the time-out settings for user sessions, password complexity, password expiration time, password reset options and multi-factor authentication.

The password settings only apply to locally managed users and not domain users synchronized with Active Directory. Domain user policies are defined by the Active Directory security policy defined by your organizations IT group.

If local users (not domain users) forget their username or password, you can configure the Web Client login page or FDA login window to include links to recover their user ID and/or reset their passwords. If a user has forgotten their user ID, they are asked to enter their email address. An email containing their user ID is emailed to them. If a user has forgotten their password and wants to reset it, then the user is prompted to enter their email address and is sent a time-sensitive link in which they will need to use in order to reset their password. Once the link is clicked, the user is prompted to reset their password in the web client. If the time limit on the email expires, then the user will need to resend the reset password request from the login page.

SmartSoft Capture is the scanning application included with every FileHold system. A license for a single copy of Capture allows for use by any number of users. There is no restriction to the number of workstations Capture can be installed on, but the concurrent use of Capture cannot exceed the total number of single copies purchased by the customer. For example, if the customer purchases 5 copies of Capture and installs the software on 20 workstations, 5 users can simultaneously run Capture. If a 6th person attempts to run Capture, they will be told they are not licensed. A timeout value can also be set for Capture licenses. The inactivity timer can be set to automatically log off users and free the Capture license for another user.

To set the logon and password security settings

  1. In the Web Client, go to Administration Panel > System Configuration > Security > Logon.
  2. Enter the number of logon attempts allowed. The default number is 10. The user will be locked out of the system and their account disabled after the number of login attempts has been exceeded. The system administrator will receive an email stating that the user account has been disabled due to the exceeded number of login attempts.

If a user exceeds the number of login attempts, the user account is disabled and an email alert is sent to all system administrators. The system administrator will need to enable the account in the Users area and if the user is a local user, reset their password.

Special care should be taken with the system administrator user as the last or only system administrator in the system will not be automatically disabled with repeated log in attempts. Best practice is to disable the well known sysadm user after the initial setup of the system and create a new system administration user without a well known user id. Use a strong password and enable multi-factor authentication where possible for any user with system administration permissions.

  1. Enter the amount of time in minutes after which the system automatically closes sessions for inactive users. This is the amount of time that the system is idle and not in use. This frees up concurrent sessions for other users. A user is considered active whenever they perform a function that accesses the server. This setting applies equally to desktop and web client users, however, desktop users may be able to set a connection option to automatically prevent them from becoming inactive as long as they are connected to the network. The time limit can be set to 0 to 9999 minutes with the default of 30 minutes.

There is an additional timeout for web client users to conserve memory. By default, after 15 minutes, the web client state will be purged from the server. The user will receive a message that they were timed out, but they can return to their session by clicking on the supplied link. They will not be required to login unless they have exceeded the inactivity time. The default value of the timeout can be changed on the server in the web client web.config file. The value to edit is ViewStateCacheLifetime, which is found in the <appSettings> section. As the view state cache requires memory on the server, increasing the value may increase the server memory usage.

  1. In the Expire Capture licenses after field, enter the amount of time, in minutes, that the system automatically logs an inactive user out of SmartSoft Capture. This is the amount of time that Capture is idle and not in use. This frees up a concurrent Capture license for another user. The time limit can be set to 0 to 9999 minutes with the default of 30 minutes.
  2. To set up Multi-factor authentication, click Configure. Multi-factor authentication confirms the identity of users on devices before they connect to FileHold. See Configuring multi-factor authentication for more information on how to configure this feature.
  3. In the Password Settings for Locally Managed Users area, enter the minimum number of characters for the password. This applies to only locally managed users. The default is 5 characters.
  4. Select one or more of the following options. These options only apply to locally managed users. They do not have any effect on existing passwords. Only newly created or reset passwords will be impacted.
  • Minimum length of a password. The largest minimum length is 99 characters, but values greater than 20 do not increase overall security in most typical implementations.
  • Must contain a number
  • Must contain a special character
  • Must contain at least one upper case letter
  • Must contain at least one lower case letter
  • Allow password re-use
  1. Enter the number of days until the password expires. Enter 0 if the password is not to expire. This applies only to locally managed users.

The global setting for password expiry will override values set for a specific user where the global setting is shorter than the user setting.

  1. In the Password reset options area, in the Administrator password reset verification email expires after field, enter the amount of time in hours that the verification email for setting a password is sent from a system administrator in the Users area is valid for. If the user does not use the link in the verification email within this time period, then the link expires. The minimum amount of time is 1 hour, the maximum time is 999 hours.
  2. Select the Allow users to request a forgotten user ID with only an email address check box to allow users to request their user ID by clicking on a link on the Web Client login screen. If this option is not enabled, the “I forgot my user ID” link is not available.
    Select the Allow users to reset a forgotten password check box to allow users to set a new password by clicking on a link on the Web Client login screen. If this option is not enabled, the “I forgot my password” link is not available.
  3. In the User password reset verification email expires after field, enter the amount of time in minutes that the verification email expires after it is sent to the user requesting the password. If the user does not use the link in the verification email within this time period, then the link expires and the user will need to request the password again. The minimum time is 5 minutes, the maximum is 9999 minutes.
  4. In the Friendly system name field, enter the partial subject line for the email that gets sent to the users when resetting a password. For example, the email subject is <Friendly system name> forgotten password reset where <Friendly system name> could be “Your Company Name Inc”.
  5. In the Info email address field, enter the contact email address for the person providing assistance if the user is experiencing issues with resetting a password. This email address is provided on the email sent to the user requesting a forgotten password. For example, “Please do not reply to this email. It is an unmonitored email address and your message will not be received. If you have any questions, please contact us at [email protected].
Reset password email notification example
  1. The Force users to verify their identity with their mobile phone is deprecated starting from version 17.1. The SMS plug-ins needed to enable this feature are no longer available.
  2. Select the Force user to provide a mobile phone number when creating an account check box to force mobile phone numbers to be entered in the Contact Information area when creating or modifying a local user account. This mobile phone number is required when using the two-step verification process. Any users without a mobile phone number will not be able to reset their password.
  3. Click Update to save any changes.
Related Knowledge Base Article(s):
Knowledge Base
Free Webinar Free Trial Videos Features
Contact Sales Text +1-604-734-5653 Contact Sales