Security
Last updated
Last updated
Only admin users have access to this page.
Fanplayr maintains the security of your account and data in multiple ways. Many of the security settings can be customized by an account administrator to match particular security needs. This page contains a list of security features, complete with descriptions of each and explanations of how the administrator can enable and adjust the security features. The security settings page is located in the account settings of the portal, under the "Account" tab on the left sidebar.
An account administrator can enable two-factor authentication (2FA) for the entire account. There are three different options.
Email: Verification code will be sent via email
Mobile: Verification code will be sent via SMS
None: Allows users to disable two-factor authentication
If 2FA is enabled, one of "Email" or "Mobile" must be selected. If "None" is selected, each user has the ability to disable their own 2FA. Otherwise, each user is forced to use 2FA upon login, though the user has the ability to choose between "Email" or "Mobile" depending on whether the administrator has allowed it.
Enabling the "Force Password Change" setting ensures that every user on the account has a password that changes with some frequency, which can greatly reduce the chance that a leaked password could jeopardize the security of the account. There are two customizable values:
Password Validity Period: Number of days between password changes (minimum 30)
Reminder days: Number of days before the password must be changed that a user is warned they must change the password (minimum 1)
Once the current date gets to within the "Reminder days" value prior to the end of the password validity period, the user will see a message with each login that the user is getting close to the end of the current password's validity period. After each password change, the user's password validity period resets to the value set here.
For example, assume "Password Validity Period" is set to 30 and "Reminder days" is set to 5. The user will have 30 days since the last password change (or since this setting was first enabled) to reset the password. If the password is changed on August 1, then the user will have until August 31 to reset the password. Between August 26 and August 31, the user will see a message upon each login saying that it is time to change the password. If the password remains unchanged and the user logs in on September 1, the system will force the user to change password.
Enabling the password re-use policy makes it so the user cannot re-use previous passwords. Like the forced password change, this security feature diminishes the chances that the user's account can be accessed via leaked passwords. There is only one value to customize:
Disallow Number of Passwords: Number of previous passwords to compare when creating a new password (minimum 1)
If this setting is enabled, the password reset process will check the newly-created password against the predetermined number of the user's previous passwords and make sure the new password is different. If the newly-created password matches one of the prior passwords, then the user will be prompted to create a new, different password.
When creating a new password for a user, an account administrator can require the password to adhere to the following requirements.
This value acts as the minimum password length when creating a new password. The user will not be able to create a password that is shorter than the value set in this setting. Even if the value is not set, Fanplayr forces a password to be at least 8 characters long.
Enabling this setting requires the new password to contain a symbol from the list below:
~`!@#$%^&*()-[]{}|_+=\"':;<,>.?/
Enabling this setting requires the new password to contain a number.
Enabling this setting requires the new password to have at least one upper case and one lower case character.
There are a few ways for a user's account to be locked, and these ways are described below. If a user's account is locked, he or she should contact the account administrator to unlock. If an administrator's account is locked, he or she should contact Fanplayr to get the account unlocked.
An account administrator can choose to automatically lock a user's account if the user has too many failed login attempts.
Number of failed logins: The number of times a user has attempted to login unsuccessfully before the account is locked (minimum 3)
Reset minutes: The number of minutes after the last attempt until the number of failures is reset (minimum 5)
If this setting is enabled, the user will have the predetermined number of chances to correctly type in the password when logging in. The next attempt will result in the account being locked.
As long as the user's account is not yet locked, the user's number of failed login attempts will be reset after the amount of time specified in "reset minutes". For example, assume the number of attempts is set to 3 and the reset minutes is set to 5. If the user types the password incorrectly twice, the system will wait 5 minutes before resetting that value back to zero. If the user gets the password wrong once more in within that 5 minute period, the account will be locked.
An account administrator can choose to automatically lock a user's account if the user has not logged in after a certain number of days.
Days: Number of days without logging in before the user's account is locked (minimum 7)
Warnings days: Number of days before locking account to warn user via email (minimum 1)
If this setting is enabled, the user will have to log in at least once over the set period of time or else the account will be locked. As specified in this setting, near the end of the account inactivity deadline Fanplayr will send a reminder email to this user that the account could soon be locked.
Account Administrators are able to unlock user accounts in the Account Users page in the portal. Any locked users will show up in the list alongside a red lock. Clicking the 'Unlock' button will give the specific user access to log in again and resume using the portal as before.
An account administrator can decide to have users on the account be automatically logged out of the portal if the user has been inactive on the site for a period of time.
Minutes: Amount of time before the portal automatically logs the user out and redirects the the login screen
A warning will be displayed to the user that they will be logged out 30 seconds prior to logging out.
Fanplayr provides a way for account administrators to view security logs. The logs can be viewed in the account security screen alongside the above settings. Each log contains the user's name, the event, the user's IP (if available), and the time the event occurred. The following events are logged:
Login
Logout
Account Switch (agency users)
Password Change
Password Change Request
Failed Login - Inactivity
Failed Login - Password Change Required
Failed Login - Wrong Password
Failed Login - Failed Attempts
Account Locked - Inactivity
Account Locked - Failed Attempts
Account Locked - Password Change Required
Unlock User (admin users)