Enable security policies for user authentication and session management to improve application security. You can control the strength of user IDs and passwords, manage session time-outs and the disabling of operator IDs, control the auditing of login events, and implement CAPTCHA and multi-factor authentication.
Note: The password, lockout, audit, and operator disablement security policies are supported in offline-enabled applications. Multi-factor authentication policies are applied only when two-factor authentication is used in custom authentication policies and in application case flows. The operator disablement policy is not enforced unless the Disable Dormant Operators agent is enabled.
Policy | Notes | Default value | Min value | Max value |
---|---|---|---|---|
Minimum operator identifier (ID) length | 8 | 3 | 64 | |
Minimum operator password length | 8 | 3 | 64 | |
Minimum numeric [0-9] characters required in operator password | 1 | 0 | 64 | |
Minimum alphabetic [a-z, A-Z] characters required in operator password | 1 | 0 | 64 | |
Minimum lowercase [a-z] characters required in operator password | 0 | 0 | 64 | |
Minimum uppercase [A-Z] characters required in operator password | 0 | 0 | 64 | |
Minimum special characters required in operator password | Available special characters include: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } [ ] | \ : " ; ' < >? , . / | 1 | 0 | 64 |
Maximum unique historical operator passwords | Note: If the value is 5, you cannot change your password to match any of the most recent five passwords that you used. | 5 | 0 | 128 |
Maximum operator password age in days | The maximum number of days before an operator must change the password. Note: If you set the value to 0, the password never expires. To set an expiration period for a password, select a value between 1 and 128. | 30 | 0 | 128 |
Minimum operator password age in days | The minimum number of days before an operator can change the password. | 0 | 0 | 128 |
Minimum number of different characters between current and new operator passwords | Minimum number of characters that should be different between the current password and the new password when changing the password. | 0 | 0 | 64 |
Policy | Notes | Default value | Min value | Max value |
---|---|---|---|---|
CAPTCHA implementation | If set to Default, the system displays the CAPTCHA implementation that is included with the Pega Platform. If set to Custom, the system displays the custom CAPTCHA implementation enabled for this system. An application can use third-party CAPTCHA solutions on the application login screen. However, a certain amount of developer work is required to prepare the custom ruleset to deliver the third-party resource. | Default | ||
Enable CAPTCHA Reverse Turing test module | If enabled, the
system displays the when authentication fails, with a probability set by
the following field. If disabled, no CAPTCHA is displays even on login failure. | Enabled | ||
Probability that CAPTCHA will be presented upon authentication failure (%) | If the CAPTCHA Reverse Turing Test is enabled, the percentage set here is the likelihood that the CAPTCHA displays. | 5 | 0 | 100 |
Enable presentation of CAPTCHA upon initial login | If enabled, the CAPTCHA is displayed the first time that the user tries to log on to a new system or from a new computer. | Enabled |
Policy | Notes | Default value | Min value | Max value |
---|---|---|---|---|
Enable authentication lockout penalty mechanism | If enabled, after n failed login attempts, the system imposes a delay of n minutes and seconds after every unsuccessful login attempt. | Enabled | ||
Failed login attempts before employing authentication lockout penalty | After the number of failed attempts set here, the user experiences a delay after each further attempt. The delay gets longer with each attempt. | 30 | 0 | 128 |
Initial authentication lockout penalty in seconds | Set the initial delay time. | 8 | 0 | 128 |
Failed login attempts before password lockout | Set the number of allowed failed login attempts before the account is locked. | 0 | ||
Password lockout duration in minutes | Set the time period for which the account remains locked after the allowed failed login attempts are exceeded.
| 0 |
Policy | Notes | Default value | Min value | Max value |
---|---|---|---|---|
Audit log level | Set the Audit
log level. The options are:
| Basic |
If needed, define the two-factor authentication policies.
Policy | Notes | Default value | Min value | Max value |
---|---|---|---|---|
Maximum one-time password failure attempts | Set the allowed number of failed login attempts before the one-time password becomes invalid and another one-time password must be generated. | 3 | 1 | 3 |
Maximum age of one-time password token in seconds |
Specify how long a current one-time password can be used to authenticate the user before it becomes invalid and another one-time password must be generated. |
30 | ||
Validity of one-time password confirmation in minutes | Specify how long a current one-time password confirmation is valid before another one-time password confirmation is required for further transactions in that session. | 60 | ||
Email account from which one-time password needs to be sent | Specify an email account that is used to send one-time passwords. If necessary, click the Add icon to edit the selected email account. Note: If you do not define this setting, the multi-factor authentication policy is not applied. |
Default |
If needed, define an operator disablement policy.
Policy | Notes | Default value | Min value | Max value |
---|---|---|---|---|
Number of days of inactivity | Specify how many days a user has to be inactive before being automatically disabled. | 90 | 1 | 90 |
Exclusion list of operator IDs |
Show a list of operators who are excluded from the policy. Click Add Operator to exclude operators from the policy. Note: If you do not provide a list of excluded operator IDs, the operator disablement policy is not applied. |