Skip to main content
  • Customer Experience
    Customer Experience
  • Employee Experience
    Employee Experience
  • Brand Experience
    Brand Experience
  • Product Experience
    Product Experience
  • Core XM
    Core XM
  • Design XM
    Design XM

Security Tab

What's on This Page:

Was this helpful?

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The feedback you submit here is used only to help improve this page.

That’s great! Thank you for your feedback!

Thank you for your feedback!

About the Security Tab

Attention: You are now reading about a premium feature. If you do not have access and would like to purchase access or receive a demo, contact your Account Executive.

All Qualtrics data and brands are protected with the utmost care. However, sometimes you may want additional security settings, such as the ability to track which users are logged in, add more requirements to passwords, modify how many failed logins lead to an account lockout, and so much more.

If you have purchased the Enterprise Security Package, Brand Administrators can access all these settings and more by going to the Admin page and selecting Security.

Choosing admin from the top-level navigation in the top-left of every page of the website

Security tab on the upper-right Admin page

Security Settings

Security Settings is the first section under the Security tab.

Security Settings button in the upper-left of the Security tab

Allow Proxy Logins

Allow proxy logins in the Authentication section

Proxy logins allow Brand Admins or higher privileged accounts to log into different user accounts on this brand through the Users tab. By deselecting Allow Proxy Logins, you are making it so no Brand Admin or support rep can directly log into a user’s account.

Attention: Brand Admins can access content in the entire brand, but disabling the Allow Proxy Logins permission will prevent Brand Administrators from acting on behalf of another user.

Enable Two-factor Authentication

Enable two-factor Authentication in the Authentication section

When you select Enable Two-factor Authentication, users must provide a verification code after providing their username and password in order to login. Users can set a preferred method of receiving this code – for example, through email or an authentication app on their phone.

Qtip: This option is disabled for brands with SSO. To use a two-factor authentication process, your SSO team must set it up.

On next login, users will go through the enrollment process where they set up their preferred verification method.

The login screen goes to a section called Two-Step Verification and makes you choose from an option before continuing

Users will also receive an email with backup codes, which serve as a recovery option if they lose access to their verification method. If a user needs to reset their backup codes or reconfigure their two-factor authentication setup, they can do so from their User Settings.

image of the regenerate button for regenerating backup codes in account settings

Once the setup is complete, future logins for that user will use the two-factor authentication process.

On the left, the QR code that goes with a verification app; on the right, the field for the code sent in an email

Users can personally select from a number of authenticator apps, including Google Authenticator, Duo Mobile, and Authy.

Minimum Password Requirements

Fields where you fill out the minimum password requirements

You can customize the requirements of passwords created in your brand. When you leave a field blank, that means that feature is not required in the password. The above example shows the default password requirements.

Attention: Changes made here will apply to all users in your brand. If a user’s password does not fulfill the new requirements, they will be prompted to change their password the next time they try to log in.
Qtip: There are settings for password expiration under the Organization Settings tab.

User Sessions

User sessions settings

  1. Minutes of inactivity until automatic logout: Determine how long someone can be in their account, not navigating pages or making edits, before they are logged out. This can be helpful so that accounts left open on idle screens cannot be accessed by passersby.
    Qtip: The default session timeout is 60 minutes without user activity.
  2. Maximum Concurrent Sessions Per User: Determine how many people can be active in one account at once. If this number is exceeded, the newest user trying to log in will not be allowed into the account.

Account Lockout

When a user repeatedly gets the username or password to an account wrong, the system will lock them out. This is a feature available on all Qualtrics brands, which ensures that strangers cannot get access to accounts that don’t belong to them.

However, with the Security tab, you can specify more about how this Account Lockout system works.

Account lockout options

  1. Select the number of failed login attempts.
  2. Select the timeframe within which these login attempts occur.
  3. Select how many minutes the account will be locked before it can be logged into again.
Qtip: If a brand does not have the Security tab feature or the Account Lockout settings have not been modified, by default an account will lock a user out for 60 minutes after 10 failed attempts to login.

Disable Inactive Accounts

Sometimes accounts will sit around in a brand for a long time without any use. It can be tedious to keep track of these accounts individually, and you may not necessarily want to set an account expiration date.

Options for disabling inactive accounts

You can choose to disable accounts after a number of predetermined days. Note that disabling an account will not delete it – you, as the brand administrator, can always re-enable the account.

Attention: If you choose to disable inactive accounts, please note that Qualtrics will consistently assess all inactive accounts and automatically disable any account that meets the condition you selected.
Different conditions you can set when automatically disabling inactive accounts

Active Sessions

Active Sessions button in the upper-left of the Security tab

The Active Sessions section will show you all the users currently logged in on your brand, plus identifying information.

If you see an unusual IP Address or Location, you can select the user to view more information, such as the time they logged in and their User ID.

Selecting users and viewing session info

If the account activity looks suspicious or you would like to force the user to log out for any reason, click End Session.

Activity Logs

Activity Logs section of the Security tab

In the Activity Logs section, you can view various actions that have taken place within the brand.

A list of login activity, with timestamps and usernames

For every entry, you will be able to see an Event Type, Date, Activity, Username of the account it happened to, the IP Address where this activity took place, and a Session ID.

There are two different event types, Information and Security:

  • Information is for a standard event, such as a user successfully logged in or reset their password.
  • Security is for an event that might be a security concern, such as a failed login or a login at an abnormal time.

in the activity log, multiple events with the red security warning
You can filter your events by Time RangeActivity Type, or by typing in a particular username you’re interested in.

Activity Type

There are several types of activity you can filter by.

Activity types dropdown menu expanded to show options

  • Logins: View regular, proxy, SSO, and Failed logins. To determine whether the login was a proxy or not, click on a user and view the information to the right. Proxy Login will have a value of True. To see more about the proxy login, click Proxy Details.
    Selecting a login session and opening a menu to the right
  • Password Changes: Any time a user changes their own password in the Account Settings page.
  • Password Resets: Whenever a password is reset. This includes users choosing Forgot Your Password? on the login page, Brand Admins sending password resets, or the user having to change their password because the password expired or you set new minimum requirements.
  • Session Creations: Any time an account is logged into, thus creating a new session. This is different from Logins because it doesn’t count failures or allow you to check for proxies. If you click a user, it will show when the session ended.
    Selecting a session creation and opening a menu to the right
  • Session Terminations: Every time a session terminates, either because a user logged out or an administrator forced them to. To see which, click the termination and look at the Reason field.
    Selecting a session termination and opening a menu to the right
  • Users: Any time a user is created or deleted. Event Type will be Deleted for deleted users. Click a user for more information, such as their username before they were terminated.
    Selecting a user log and opening a menu to the right