Configuring multi-factor authentication policies
To control the behavior of two-factor authentication, configure the multi-factor authentication policy settings on the Security Policies landing page.
- In the Dev Studio header, click .
- In the Multi-factor authentication policies (using one-time
password) section, configure the following required
fields:
- In the Maximum one-time password failure
attempts list, select a value between
1 and 3 to set the
number of failed login attempts that your application allows before the
one-time password becomes invalid and another one-time password must be
generated. Setting a lower value helps prevent brute force attacks.
- In the Maximum age of one-time password token in
seconds field, enter the length of time from when the
token is generated to when the user must verify it with your
application. The maximum age of the one-time password token must be less than the shortlived requestor timeout period, which is defined in minutes in the
prconfig
settingtimeout/requestor/shortlived
, and which defaults to 1 minute. If you set the maximum age to be greater than one minute, you must increase thetimeout/requestor/shortlived
setting. - In the Validity of one-time password confirmation in minutes field, enter how long a user can work in a single session before being logged out.
- In the Email account from which one-time password needs to be sent field, press the Down Arrow key, and then select the name of an email account.
- In the Maximum one-time password failure
attempts list, select a value between
1 and 3 to set the
number of failed login attempts that your application allows before the
one-time password becomes invalid and another one-time password must be
generated.
- Click Submit.
Previous topic Multi-factor authentication with a one-time password Next topic Generating a one-time password