Access

Access to the application is granted by your organization's application administrator. You will need the URL defined by your organization, a valid username, and password to log in to this application

Security settings assigned to each user apply upon login. Areas and some functions within this application are permission based. This means if you do not see an area, an object, or a function is grayed out, then access to that area or object has been prohibited.

Important: This documentation refers to transactions by their default names. Your administrator can change these names to conform with your business practices. 1

User Authentication

Modern technologies necessitate higher security standards. In the past, web sites often used simple password requirements, which allowed users to create simpler, less secure passwords.

To meet modern security standards this system will require stricter Login Policies as of application version 7.4.4.2+, and 7.5.2+. Password hardening enhancements and password complexity requirements will roll out in several phases in addition to multi-factor authentication (MFA) 2 setup methods.

Password validation checks will be notable upon upgrade. This means, some password requirements will be in effect upon upgrade and others will only take effect when an end-user changes their password by either choice; or the existing Login Policy enforces the change; or an existing Login Policy is altered in Setup.

The table below displays password enhancements, new defaults, and new or stricter password hardening requirements:3

Login Policy Setting	Description
Default Password	Users who log in to this application using the default password will be forced to change their password and adhere to new validation checks which will prevent users from using a password length less than eight characters and forbids the use of the Login ID in the password field. Applicable to version 7.4.4.2+, 7.5.2+, 7.5.3+. Due to stricter password requirements, the minimum password length is fifteen as of version 7.5.4. Maximum value for this field increased from 40 to 64 characters.
Login Disabled When User is Inactive After	This field can no longer be blank and will now default to 31 days if the field was blank in the Login Policy prior to an upgrade. Field requirement is 1 - 999. Due to enhanced password requirements, the maximum number of days is 60 as of version 7.5.4. Values less than 60 days, or greater than one day will be retained in the application upon upgrade. System administrators may need to reset a user’s password to the default password in order for the user to log back in and change their password.
Time Allowed for Users to Reset Password	This field can no longer be blank, and will now default to six hours if the field was blank in the Login Policy prior to an upgrade.
Force Password Change if Default	This check box has been removed from the Login Policy area.
Failed Password Third Attempt Lockout	This field in a Login Policy can no longer be configured to ignore failed login attempts, and now a required field with a minimum lockout period preset to thirty minutes. An existing Login Policy that contains a value less than 30 minutes will be immediately impacted by this change. A preconfigured value of 30 minutes or greater will not be affected by this change. Applicable to Web and IVR as of application version 7.5.4.
Force Password Change Every _days	If users are required to change their passwords periodically, type that value in this field. RESTRICTIONS - Minimum(1) Maximum (999). This field is required as of application version 7.5.4. The default and maximum period is set at 90 days when Multi-Factor Authentication is disabled. When Multi-Factor Authentication is enabled, this field defaults to a maximum period of 180 days. Existing values below 90 days will be retained upon upgrade.
Password Complexity	A Login Policy must be complex and include three out of four of the following password complexity features as of application version 7.5.4: Minimum Lowercase Characters Minimum Uppercase Characters Minimum Digits Allowed Minimum Special Characters
Prohibit passwords from the forbidden passwords list	This check box is required, enforced, and defaults to true as of application 7.5.4.
Prohibit Reuse of the last*	Ensures the last X number of passwords cannot be reused. The default is 24. Applicable to Web and IVR passwords. Restrictions: Minimum (24) Maximum (1000). Field added in application version 7.5.4.
New Users Must Log In Within*	Ensures a new user must log in to this application within the number of days set. This field is available as of version 7.5.4. This field is required and defaults to a minimum value of 30 days. Applicable to Web and IVR and new customers on day one. Existing customers will see the new policy take effect the next time their password needs to be changed.