Security settings
Public access to your agency’s Citizen Access portal requires a certain level of security. The specific level is dependent upon the agency and the type of functions they have on the portal. Password security is the first level of defense against harmful security threats. This section describes how to define password security for your agency.
Set up a password policy
The first step in defining password security is to set up a password policy for your agency according to the industry standard set of password strength rules. These rules include character requirements, such as minimum password length, number of upper case characters and number of numeric characters. They also include password restrictions such as not allowing the user ID to be part of the password, or the password not being the same as the previous X number of passwords.
You can only configure the password strength rules from Civic Platform when logging in with multi-Agency administrative privileges.
For the process, see the “Agencies and Functions” chapter of the Accela Civic Platform On-Premise Supplement Administration Guide.
Configure the password settings
The Password settings section of the Register license page is used to configure password expiration settings and password failed attempts. These items relate to the password security definition in the registration definition section. The password expiration setting field sets the number of days in which a user’s password expires, and the password failed attempts fields set the number of times a user can enter an incorrect password during a specified period before their account is locked.
When account lockout policy is enabled, there is a risk of locking out legitimate users. To avoid locking out legitimate users who have simply mis-typed or forgotten their passwords, the best practice is to set the account lockout threshold to a high number. If a user does get locked out, a message displays. They also receive an account locked email message, as described in Notification emails. In that case, they need to contact their agency and have then unlock the user’s account.
Lock account after failed attempts
A failed login attempt can result from an invalid user name/password or an invalid answer to a security question. For example, if a user enters invalid user name and password twice, the failed attempts count is 2; if the user then enters invalid answer to the security question after clicking Login with valid user name and password, the failed attempts count increases to 3.
The registration settings provides the Lock account after failed attempts option in the Security settings section. You can select the option and configure the number of failed attempts that Citizen Access allows before locking an account for a certain time period.
Enable authentication by security question
The Authentication by security question option in the Security settings section is an additional safeguard against unauthorized login to Citizen Access.
When a public user registers on the website, or when an authorized agent adds a clerk, no matter whether you enable or disable the Authentication by security question option, the user or agent must select one or more security questions to answer from the dropdown list of the Select a security question field.
If you enable the Authentication by security question option, when a public user logs in to Citizen Access, the user must answer a security question.
The compulsory security question in registration settings defines the number of security questions that users must select to answer during registration. You can specify a number between 1 and the number of available security question choices which you configured for the Select a security question field of the registration page. For example, if you require 3 compulsory registration questions during registration, when a public user registers for an account, the user must select 3 different security questions to answer.