Security Tab

About the Security Tab

All Qualtrics data and brands are protected with the utmost care. However, sometimes you may want additional security settings, such as the ability to track which users are logged in, add more requirements to passwords, modify how many failed logins lead to an account lockout, and so much more.

If you have purchased the Enterprise Security Package, Brand Administrators can access all these settings and more by going to the Admin page and selecting Security.

Security Settings

Security Settings is the first section under the Security tab.

Allow Proxy Logins

Proxy logins allow Brand Admins or higher privileged accounts to log into different user accounts on this brand through the Users tab. By deselecting Allow Proxy Logins, you are making it so no Brand Admin or support rep can directly log into a user’s account.

Enable Two-factor Authentication

When you select Enable Two-factor Authentication, users must provide a verification code after providing their username and password in order to login. Users can set a preferred method of receiving this code – for example, through email or an authentication app on their phone.

On next login, users will go through the enrollment process where they set up their preferred verification method.

Users will also receive an email with backup codes, which serve as a recovery option if they lose access to their verification method. If a user needs to reset their backup codes or reconfigure their two-factor authentication setup, they can do so from their User Settings.

Once the setup is complete, future logins for that user will use the two-factor authentication process.

Users can personally select from a number of authenticator apps, including Google Authenticator, Duo Mobile, and Authy.

Minimum Password Requirements

You can customize the requirements of passwords created in your brand. When you leave a field blank, that means that feature is not required in the password. The above example shows the default password requirements.

User Sessions

1. Minutes of inactivity until automatic logout: Determine how long someone can be in their account, not navigating pages or making edits, before they are logged out. This can be helpful so that accounts left open on idle screens cannot be accessed by passersby.
   Qtip: The default session timeout is 60 minutes without user activity.
2. Maximum Concurrent Sessions Per User: Determine how many people can be active in one account at once. If this number is exceeded, the newest user trying to log in will not be allowed into the account.
   Qtip: The default maximum number of concurrent sessions for all brands is 500.

Account Lockout

When a user repeatedly gets the username or password to an account wrong, the system will lock them out. This is a feature available on all Qualtrics brands, which ensures that strangers cannot get access to accounts that don’t belong to them.

However, with the Security tab, you can specify more about how this Account Lockout system works.

1. Select the number of failed login attempts.
2. Select the timeframe within which these login attempts occur.
3. Select how many minutes the account will be locked before it can be logged into again.

Disable Inactive Accounts

Sometimes accounts will sit around in a brand for a long time without any use. It can be tedious to keep track of these accounts individually, and you may not necessarily want to set an account expiration date.

You can choose to disable accounts after a number of predetermined days. Note that disabling an account will not delete it – you, as the brand administrator, can always re-enable the account.

Attention: If you choose to disable inactive accounts, please note that Qualtrics will consistently assess all inactive accounts and automatically disable any account that meets the condition you selected.

Active Sessions

The Active Sessions section will show you all the users currently logged in on your brand, plus identifying information.

If you see suspicious account activity or you would like to force a user to log out for any reason, select the user(s) and click End Session. Click End All Sessions to end all active sessions.

To adjust the table format, click the down arrow next to a column and select an action.

The available actions are:

• Pin Column: Pin the column so it cannot be moved. This will also make the column visible while you scroll horizontally.
• Unpin Column: Unpin a pinned column.
• Move Column Left: Move the column 1 place to the left.
• Move Column Right: Move the column 1 place to the right.

You can also hover between columns and drag the column divider to change the width of a column.

Activity Logs

In the Activity Logs section, you can view various actions that have taken place within the brand.

For every entry, you will be able to see an Event Type, Date, Activity, Username of the account it happened to, the IP Address where this activity took place, and a Session ID.

There are two different event types, Information and Security:

• Information is for a standard event, such as a user successfully logged in or reset their password.
• Security is for an event that might be a security concern, such as a failed login or a login at an abnormal time.

You can filter your events by Time Range, Activity Type, or by typing in a particular username you’re interested in.

Activity Type

There are several types of activity you can filter by.

• Logins: View regular, proxy, SSO, and Failed logins. To determine whether the login was a proxy or not, click on a user and view the information to the right. Proxy Login will have a value of True. To see more about the proxy login, click Proxy Details.
  

  Attention: If you do notice a security event in your activity logs, here are some next steps you can take:

  • Anomalous Login Flagged as Security Event: Check on the details of the login event. If proxy login is false, check with the user directly to see if they are familiar with the event. In the case the user isn’t familiar with the event, you can have the user reset their credentials to their Qualtrics account.
  • Anomalous Login Where Proxy Login is True: If you see that proxy login has a value of true, check with the account owner to see if they recognize the login. If the login activity or the Agent details nested within Proxy Details aren’t recognized, please contact Qualtrics Support and we can look into this further.
  • Multiple Anomalous Logins to Same Account: If you’re seeing multiple anomalous logins to a particular account, a possible reason for this could be connected to your organization’s SSO settings. When a session times out, the SAML SSO authentication method will automatically log the user back in and be recorded as a new login event.
• Password Changes: Any time a user changes their own password in the Account Settings page.
• Password Resets: Whenever a password is reset. This includes users choosing Forgot Your Password? on the login page, Brand Admins sending password resets, or the user having to change their password because the password expired or you set new minimum requirements.
• Session Creations: Any time an account is logged into, thus creating a new session. This is different from Logins because it doesn’t count failures or allow you to check for proxies. If you click a user, it will show when the session ended.
  
• Session Terminations: Every time a session terminates, either because a user logged out or an administrator forced them to. To see which, click the termination and look at the Reason field.
  
• Users: Any time a user is created or deleted. Event Type will be Deleted for deleted users. Click a user for more information, such as their username before they were terminated.
  
• Organizations: Every time changes are made to the entire brand. This includes changes to the brand type, base URL, expiration date, and brand description. Each change is indicated by the original value and the new value.