Security Settings (QSC)

About Security Settings

Qualtrics Social Connect gives you various features that enable you to make sure your account meets your company’s security standards.

To manage your security settings, navigate to the Security section of Account settings.

User Security Overview

The top of the Security settings page displays metrics about the overall security of users in your organization:

• Two-factor authentication: If two-factor authentication is enabled, an alert will appear telling you how many users in your organization have yet to set up two-factor authentication for their accounts.
• Overall security score: An overall score for how secure your organization is. You can increase your security score by increasing the number of users with strong passwords and by enabling two-factor authentication.
• Users with safe passwords: The percentage of users who have a strong password. See Password Requirements for more information about strong passwords.
• Weak passwords: If any users in your organization have weak passwords, they will be listed here. Click the Inform button next to a user to send them a notification that they should update their password to a stronger one.

Password Requirements

New passwords must meet the following requirements:

• length of 8 characters
• Passwords should contain at least one lowercase character like ‘a’
• Passwords should contain at least one uppercase character like ‘A’
• Passwords should contain at least one special character. Note that you must choose between ! $ ( ) _ [ ] * – @
• Passwords should contain at least one number like ‘0’, ‘1’, … ‘9’

In addition to these base requirements, account administrators can choose how often users need to reset their password and can put controls on how complex the password can be. The Passwords section of Security settings contains the following settings:

• Require users to change their password: Choose how often you want users to change their password. Your options include never, every quarter, every month, and every week. Users will receive an email notification when their password is almost expired.
• Don’t allow users to re-use an old password for: Choose how long you want to prevent users from reusing an old password. You can choose 1, 2, or 3 years.
• Lock user’s account after x failed login attempts: Choose after how many failed login attempts a user’s account should be locked. Your options include 10, 5, and 3 attempts.
  Qtip: Once locked, a user won’t be able to login until an account administrator unlocks their account.
• Enforce strong passwords: When enabled, users must create a “strong” or “very strong” password. This option prevents users from creating a password that contains their name, email, account name, “engagor,” or any other commonly used passwords, like “password.”

Devices Settings

The Devices section of Security settings allows you to control the different devices that your users may use to access Social Connect.

The settings in this section include:

• Limit number of devices in the last 24 hours: Control how many different devices a user can use to access Social Connect within a 24 hour period. You can choose to disable this setting by choosing No, or select a number of devices, either 2, 3, 4, 5, or 10.
• Require 2FA when logging in from a new device: If two-factor authentication is enabled for your account, this setting controls if users must perform two-factor authentication when logging in with a new device.

Sessions Settings

The Sessions section of Security settings allows you to control how long users stay logged in and how often they must use two-factor authentication.

The settings in this section include:

• Require 2FA on each log in: If two-factor authentication is enabled for your account, you can choose if users must perform two-factor authentication every time they log in to Social Connect.
• Sign user out after x minutes of inactivity: Automatically log the user out if they’re inactive for a certain amount of time. Your options include No (do not log users out), 15 minutes, 30 minutes, 1 hour, and 1 hour 30 minutes.

Advanced Settings

The Advanced section of Security settings allows you to set granular controls on access to your organization.

The options in this section include:

• Allowed IP addresses: Include a comma or semicolon separated list of valid IP addresses that can access your account. You can add a range of IP addresses using CIDR notation. Users with a different IP will not be able to access the account until the IP address matches one listed here.
• Allowed email domains: Include a comma or semicolon separated list of valid email domains for users who can be invited to your account.
• Allow to publish links to these domains: Include a comma or semicolon separated list of the domains that you want to be available to use in links in messages. If no domains are listed here, then any domain can be used in links.

Audit Log

The Audit log section of the Security tab allows you to view different security events for users in your license.

The events that can appear on this page include:

• Password reset requests
• Password changes
• Successful logins
• Failed logins
• A user is locked or unlocked
• The organization’s security settings were changed

You can filter the events that are displayed on this page by using the filters at the top of the page. You can filter on both the type of event and by the user who triggered the event. Click Filter to apply your selections, or click Reset to return to an unfiltered view.