Login Security Features

SoftSlate Cloud Platform provides comprehensive authentication security features designed to protect both employee and customer accounts. Our security approach balances robust protection against unauthorized access with user-friendly functionality that makes legitimate login easy and convenient. The features described below work together to create a multi-layered security system that safeguards your business and customer data.

Here's an overview of the security features covered in this guide:

Overview of Login Forms"Remember Me On This Device"reCAPTCHA / "I'm Not a Robot""Forgot Your Password?" ProcessPassword RulesLockouts After Repeated Failed LoginsUnlocking a User Who Was Locked OutPassword ExpirationsReusing Previous PasswordsRestricting Logins for Specific Users to Specific IP AddressesGoogle Sign-In

Overview of Login Forms

Employee Login Interface The standard login form for employees looks like this:

image-20221105102653727

Customer Login Interface The customer login form maintains the same security standards while providing a user-friendly experience that matches your site's design:

image-20221105102736684

"Remember Me On This Device"

To enhance user convenience without compromising security, both employee and customer login forms include a "Remember Me On This Device" option. This feature provides the following benefits:

How It Works

  • When users check this option and successfully log in, they won't need to enter their credentials again for one full week

  • Without this option enabled, users are automatically logged out after 20 minutes of inactivity for security purposes

Important Security Considerations

  • The option specifically states "on this device" to remind users that anyone with physical access to the device can potentially access their account without logging in

  • Never use this option on public or shared computers (such as those in libraries, internet cafes, or shared workspaces)

  • For maximum security, we recommend using this feature only on personal, secure devices

Additional Security Notes

  • When a user changes their password, all "Remember Me" sessions across all their devices are automatically expired, requiring fresh login on each device

  • This ensures that password changes immediately secure all access points

reCAPTCHA / "I'm Not a Robot"

Google reCAPTCHA serves as our primary defense against automated attacks and is one of the most effective tools for preventing unauthorized access attempts.

How It Protects Your Site

  • Prevents brute force attacks where hackers use automated scripts to try thousands of username/password combinations

  • Distinguishes between legitimate human users and malicious bots

  • Provides an additional security layer that's nearly impossible for automated systems to bypass

User Experience

  • In most cases, users simply need to click the "I'm not a robot" checkbox

  • Occasionally, users may be asked to complete an additional verification, such as selecting images containing specific objects

  • The system is designed to be easy for humans while remaining challenging for automated scripts

Configuration Options

  • For Employees: reCAPTCHA is always enabled and cannot be disabled due to the critical nature of administrative access

  • For Customers: This can be optionally disabled through the Login Security settings screen (though we strongly recommend keeping it enabled)

  • If you have specific business requirements that conflict with employee reCAPTCHA requirements, please contact SoftSlate support to discuss alternatives

"Forgot Your Password?" Process

The password recovery system provides a secure way for users to regain access to their accounts when they've forgotten their credentials.

How Password Recovery Works All users can initiate password recovery through the "Forgot your password?" link available on login forms:

When users submit their email address, the system automatically sends them a secure password reset link containing a unique, time-limited token that allows them to safely reset their password without compromising security.

For security, the link is only valid for a set period of time. If the time period expires, all they have to do is request a new link.

Password Rules

By default, the only requirement for Customer passwords is that they be at least eight characters long, but in the Administrator interface, additional requirements can be added to enhance security (i.e., make it harder for hackers to guess a password).

The Login Security Settings screen in the administrator allows admins to adjust the password rules for Customers.

image-20221105105828716

Among the rules that may be defined are:

  • Minimum password length (eight by default for Customers)

  • Whether the password must contain at least one letter and one number (default false for Customers)

  • Whether the password must contain at least one uppercase letter and one lowercase letter (default false for Customers)

  • Whether the password must contain at least one “special” character (default false for Customers)

NOTE: For Employee logins, the minimum password length is also eight, but all of the other above rules are in effect. If you have a valid reason why the rules should be relaxed for Employees, contact SoftSlate support.

Lockouts After Repeated Failed Logins

By default, both Customers and Employees will be locked out of their accounts if they make repeated attempts to login to their account using bad passwords. Again, this is an important security mechanism to prevent hackers from guessing a user's password by repeatedly guessing.

By default, Customers will be locked out for 30 minutes following five failed logins in a row. These parameters can be changed for Customers in the Administrator on the above Login Security Settings screen.

Employees will also be locked out for 30 minutes following five failed logins in a row. If you have a valid reason why this rule should be relaxed for Employees, contact SoftSlate support.

Unlocking a User Who Was Locked Out

If a user is having trouble logging in, an Employee with the appropriate permissions can unlock the user's account so they don't have to wait for the full lockout period to be over.

If a Customer is locked out, find their customer record from the Customers grid (/administrator/Customer). Click into Details and empty out the Locked Out Until field.

image-20221106083701302

Click Save Changes. The Customer should be able to log in now without waiting for the lockout period to end.

For Employees who are locked out, the process is very similar. Find the Employee record and empty out their Locked Out Until field. You must have Superuser or Employee Edit permissions to edit Employees.

Password Expirations

The system also supports the notion of expiring passwords, where the user is forced to change their password after a set period of time. This feature is turned off by default for Customers, but it may be enabled on the above Login Security Settings screen. To enable it, adjust the "Password Expiration Duration In Days" setting to something larger than 0. For example, setting the value to 365 will require Customers to change their password every year.

This feature is turned on for Employees, and the duration for passwords is set to 180 days. After 180 days, the next time the Employee logs in, they will be prompted to change their password. If you have a valid reason why this rule should be relaxed for Employees, contact SoftSlate support.

Reusing Previous Passwords

Customers may also be prevented from reusing a previous password when they change their password. This feature is disabled by default for Customers, but it may be enabled on the Login Security Setting screen. Simply adjust the "Number of Previous Passwords To Check" to something greater than 0. When it is enabled, each time a Customer changes their password the system will first check to make sure it is not the same as one of the previous x passwords, where x is the value of that setting.

By default, this feature is in effect for Employees, and set to five previous passwords that will be checked. If you have a valid reason why this rule should be relaxed for Employees, contact SoftSlate support.

Restricting Logins for Specific Users to Specific IP Addresses

In many cases, the location of the users accessing the system is known ahead of time. It may be that an Employee always logs in either from home or from an office location. To really restrict access, it is possible to define the list of legitimate IP addresses each user is allowed to log in from. This can be done for both Customers and Employees in the Administrator application.

To restrict a specific user to specific IP address, simply find their record in the Administrator (under Customers or Employees) and add the list of legitimate IP addresses to the "Allowed Ip Addresses" field.

image-20221105114507768

The field accepts a comma-separated list of IP addresses. The next time the user logs in, the system will check the IP address they are logging in from against the list. If it is not contained in the list, the login will be refused.

To disable this feature, simply empty out the "Allow Ip Addresses" field. An empty field tells the system to allow logins from any IP address.

Google Sign-In

The platform supports customer logins and registrations using Google Sign-In. This can be much more convenient for customers since they don't have to create a new password. This feature is turned off by default. For more information, visit this section of the Customer Account Features page: https://cloud.softslate.com/content/Customer_Account_Features#registration-and-login-with-google-sign-in.

It's important to note that when a customer signs in via Google, none of the above security features take effect for their account. Lock-outs, password expirations, password rules, etc. - these are all managed by Google. If you wish to leverage the above features for customers, you should keep Google Sign-In turned off.