To access "Security Preferences" settings, go to the "Administration" tab, click on settings, and look for the "Security Preferences" heading.
The AssureSign system provides granular control of a variety of settings that permits a variety of combinations that may be required by your organization. An easy way to manage some security and password settings is to choose from some pre-configurations. When selecting from the options for "Security Strength" (Low, Medium, High, PCI and Custom) you will see the other security settings adjust automatically to the appropriate levels based on your selection. Even after selecting a "Security Strength", you can still make changes to the other individual settings to meet your needs. Note that when a change is made that deviates from the selected pre-configuration, the "Security Strength" will be automatically set to "Custom". We recommend setting the strength according to the type of information contained in your AssureSign documents. Choose the highest level of security when your documents may contain sensitive personal, financial or health information. While AssureSign is not a payment card processor, we have provided PCI (Payment Card Industry) level settings to provide an easy template for you to set security settings at a PCI suggested standard level.
Important: An important part of managing security is implementing a process for disabling users when they are no longer with your organization, or when they should no longer have access to AssureSign documents. Tools are available within the AssureSign Administration section for managing user access, however you must implement procedures to ensure your organization’s policies regarding document access are met.
"Behavior for Handling Failed Login Attempts" may be configured as follows:
- to take no action,
- to enforce an increasing (but temporary) delay between failed login attempts,
- or may be set to a numerical value available in a dropdown list that will indicate how many login failures will be allowed before the user account is disabled. For example, if this is set to "3", then your AssureSign users’ accounts will be locked after attempting to log in under their user name 3 times with incorrect passwords. An administrator will be able to unlock their account from the Users administration area. Users will remain locked out until an administrator explicitly unlocks their account.
"Minimum Password Length" sets the minimum acceptable length for passwords you or your users specify. The minimum requirement is 8 characters.
A 2 character password consisting of numbers only can have 100 or (10)2 possible combinations.
A 2 character password consisting of numbers, lower case characters and upper case characters has 3844 or (10+26+26)2 combinations.
A 10 character password consisting of numbers, lower case characters and upper case characters has 839,299,365,868,340,224 or (10+26+26)10 combinations.
"Number of Days Until Password Expiration" may either be turned off (passwords will not expire) or may be configured to a numerical value available in a dropdown list.
"Number of Idle Minutes Until Session Timeout" controls the amount of time in minutes with no activity at which point users of the system are logged out. A non-zero integer value must be specified. The maximum allowed is 1440 minutes.
"Number of Password Changes Before Password Resuse" may be turned off (re-use of passwords will be allowed) or may be configured to a numerical value available in a dropdown list. This setting comes into play when a user changes their password (whether forced by expiration or at their own discretion).
Note: A week before a user’s password expires, the user will be directed after logging in to a password expiration notification page where they will be notified of the pending expiration and presented with a link that will take them to a password reset page. The user will be able to bypass this page and continue to the main site, but the page will appear when they log in until they change their password.
If a user logs in and their password is expired, they will be presented with a password expiration page and will be presented a link to change their password. The user will not be able to bypass the page until they change their password.
"Password Strength" determines the required complexity required in the composition of your AssureSign account users’ passwords. The options are:
- Low: no character restriction
- Medium: alphanumeric, at least one number and one letter
- High: alphanumeric, at least one uppercase and one lowercase letter, at least one special character
- PCI: alphanumeric, at least one uppercase letter, at least one lowercase letter, at least one number
If this value is set to "Yes", then new users that you create will be required to change their password after their first login. By default, new users created by AssureSign support staff (such as the default administrator user granted to an account when it is first enabled) will be required to change their password after their first login.