Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Security policies settings

Updated on March 15, 2022

To authenticate users and manage sessions, configure security policies.

Password policies settings

PolicyNotesDefault valueMin valueMax value
Minimum operator identifier (ID) length8364
Minimum operator password length8364
Minimum numeric [0-9] characters required in operator password1064
Minimum alphabetic [a-z, A-Z] characters required in operator password1064
Minimum lowercase [a-z] characters required in operator password0064
Minimum uppercase [A-Z] characters required in operator password0064
Minimum special characters required in operator passwordAvailable special characters include: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } [ ] | \ : " ; ' < >? , . /1064
Maximum unique historical operator passwordsIf the value is 5, you cannot change your password to match any of the most recent five passwords that you used.50128
Maximum operator password age in days The maximum number of days before an operator must change the password.

If you set the value to 0, the password never expires. To set an expiration period for a password, select a value between 1 and 128.

300128
Minimum operator password age in daysThe minimum number of days before an operator can change the password.00128
Minimum number of different characters between current and new operator passwordsMinimum number of characters that should be different between the current password and the new password when changing the password.0064

CAPTCHA policies settings

PolicyNotesDefault valueMin valueMax value
CAPTCHA implementation If set to Default, the system displays the CAPTCHA implementation that is included with Pega Platform.

If set to Custom, the system displays the custom CAPTCHA implementation enabled for this system. An application can use third-party CAPTCHA solutions on the application login screen. However, a certain amount of developer work is required to prepare the custom ruleset to deliver the third-party resource.

Default
Enable CAPTCHA Reverse Turing test module If enabled, the system displays the CAPTCHA upon authentication fails, with a probability set by the following field.

If disabled, no CAPTCHA is displayed, even on login failure.

Disabled
Probability that CAPTCHA will be presented upon authentication failure (%)If the CAPTCHA reverse Turing test is enabled, the percentage set here is the likelihood that the CAPTCHA is displayed.50100
Enable presentation of CAPTCHA upon initial loginIf enabled, the CAPTCHA is displayed the first time that the user tries to log in to a new system or from a new computer.Disabled

Lockout policies settings

PolicyNotesDefault valueMin valueMax value
Enable authentication lockout penalty Set to Enabled or Disabled. If enabled, after a specified number of failed login attempts, the system imposes a lengthening delay of a number of seconds between every unsuccessful login attempt and the next login attempt.Disabled
Failed login attempts before employing authentication lockout penalty(Used when Enable authentication lockout penalty is Enabled.) After the set number of failed attempts, the user experiences a delay after each further attempt. The delay gets longer with each attempt.50128
Initial authentication lockout penalty in seconds(Used when Enable authentication lockout penalty is Enabled.) Set the initial delay time.80128
Track login failures duration in minutes(Used when Enable authentication lockout penalty is Enabled.) After this period of inactivity, the failed login counter is set back to 0.60
Failed login attempts before password lockout(Used when Enable authentication lockout penalty is Disabled.) Set the number of allowed failed login attempts before the account is locked.0
Password lockout duration in minutes(Used when Enable authentication lockout penalty is Disabled.) Set the time period for which the account remains locked after the allowed failed login attempts are exceeded.
  • Set to a non-zero value to automatically unlock the account after the lockout.
  • Set to zero to require the account to be unlocked manually from the Unlock Operators landing page.
0

Audit policies settings

PolicyNotesDefault valueMin valueMax value
Audit log level Set the Audit log level. The options are:
  • None — No log entry is added
  • Basic — Record failed login attempts only
  • Advanced — Record failed and successful login attempts
Basic

Multi-factor authentication policies (using one-time password)

PolicyNotesDefault valueMin valueMax value
Maximum one-time password failure attemptsSet the allowed number of failed login attempts before the one-time password becomes invalid and another one-time password must be generated.313
Maximum age of one-time password token in secondsSpecify how long a current one-time password can be used to authenticate the user before it becomes invalid and another one-time password must be generated.
Note: The maximum age of the one-time password token must be less than the shortlived requestor time-out period, which is defined in minutes in the prconfig setting timeout/requestor/shortlived, and which defaults to 1 minute. If you set the maximum age to be greater than one minute (or accept the default), you must increase the timeout/requestor/shortlived setting.
180
Validity of one-time password confirmation in minutesSpecify how long a current one-time password confirmation is valid before another one-time password confirmation is required for further transactions in that session.60
Email account from which one-time password needs to be sentSpecify an email account for sending one-time authentication codes. You can edit the selected email account by clicking the Add icon.

If you do not define an email account or an SMS account, the multi-factor authentication policy is not applied.

SMS account from which one-time password needs to be sentSpecify an SMS account for sending one-time authentication codes. You can add an SMS account by clicking the Add icon.

If you do not define an SMS account or an email account, the multi-factor authentication policy is not applied.

Operator disablement policy settings

PolicyNotesDefault valueMin valueMax value
Number of days of inactivitySpecify how many days a user has to be inactive before being automatically disabled.90190
Exclusion list of operator IDs Show a list of operators who are excluded from the policy.

[email protected] is excluded by default.

Click Add Operator to exclude additional operators from the policy.

  • Previous topic Configuring login policies such as multi-factor authentication, CAPTCHA, and attestation
  • Next topic Security policies

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us