About the Security Tab
All Qualtrics data and brands are protected with the utmost care. However, sometimes you may want additional security settings, such as the ability to track which users are logged in, add more requirements to passwords, modify how many failed logins lead to an account lockout, and so much more.
If you have purchased the Enterprise Security Package, Brand Administrators can access all these settings and more by going to the Admin page and selecting Security.
Security Settings is the first section under the Security tab.
Allow Proxy Logins
Proxy logins allow Brand Admins or higher privileged accounts to log into different user accounts on this brand through the Users tab. By deselecting Allow Proxy Logins, you are making it so no Brand Admin or support rep can directly log into a user’s account.
Enable Two-factor Authentication
When you select Enable Two-factor Authentication, users must provide a verification code after providing their username and password in order to login. Users can set a preferred method of receiving this code – for example, through email or an authentication app on their phone.
On next login, users will go through the enrollment process where they set up their preferred verification method.
Users will also receive an email with backup codes, which serve as a recovery option if they lose access to their verification method. If a user needs to reset their backup codes or reconfigure their two-factor authentication setup, they can do so from their User Settings.
Once the setup is complete, future logins for that user will use the two-factor authentication process.
Users can personally select from a number of authenticator apps, including Google Authenticator, Duo Mobile, and Authy.
Minimum Password Requirements
You can customize the requirements of passwords created in your brand. When you leave a field blank, that means that feature is not required in the password. The above example shows the default password requirements.
- Minutes of inactivity until automatic logout: Determine how long someone can be in their account, not navigating pages or making edits, before they are logged out. This can be helpful so that accounts left open on idle screens cannot be accessed by passersby.
Qtip: The default session timeout is 60 minutes without user activity.
- Maximum Concurrent Sessions Per User: Determine how many people can be active in one account at once. If this number is exceeded, the newest user trying to log in will not be allowed into the account.
When a user repeatedly gets the username or password to an account wrong, the system will lock them out. This is a feature available on all Qualtrics brands, which ensures that strangers cannot get access to accounts that don’t belong to them.
However, with the Security tab, you can specify more about how this Account Lockout system works.
- Select the number of failed login attempts.
- Select the timeframe within which these login attempts occur.
- Select how many minutes the account will be locked before it can be logged into again.
Disable Inactive Accounts
Sometimes accounts will sit around in a brand for a long time without any use. It can be tedious to keep track of these accounts individually, and you may not necessarily want to set an account expiration date.
You can choose to disable accounts after a number of predetermined days. Note that disabling an account will not delete it – you, as the brand administrator, can always re-enable the account.
The Active Sessions section will show you all the users currently logged in on your brand, plus identifying information.
If you see an unusual IP Address or Location, you can select the user to view more information, such as the time they logged in and their User ID.
If the account activity looks suspicious or you would like to force the user to log out for any reason, click End Session.
In the Activity Logs section, you can view various actions that have taken place within the brand.
For every entry, you will be able to see an Event Type, Date, Activity, Username of the account it happened to, the IP Address where this activity took place, and a Session ID.
There are two different event types, Information and Security:
- Information is for a standard event, such as a user successfully logged in or reset their password.
- Security is for an event that might be a security concern, such as a failed login or a login at an abnormal time.
There are several types of activity you can filter by.
- Logins: View regular, proxy, SSO, and Failed logins. To determine whether the login was a proxy or not, click on a user and view the information to the right. Proxy Login will have a value of True. To see more about the proxy login, click Proxy Details.
- Password Changes: Any time a user changes their own password in the Account Settings page.
- Password Resets: Whenever a password is reset. This includes users choosing Forgot Your Password? on the login page, Brand Admins sending password resets, or the user having to change their password because the password expired or you set new minimum requirements.
- Session Creations: Any time an account is logged into, thus creating a new session. This is different from Logins because it doesn’t count failures or allow you to check for proxies. If you click a user, it will show when the session ended.
- Session Terminations: Every time a session terminates, either because a user logged out or an administrator forced them to. To see which, click the termination and look at the Reason field.
- Users: Any time a user is created or deleted. Event Type will be Deleted for deleted users. Click a user for more information, such as their username before they were terminated.