Security configurations in Citizen Space

There are a number of security features in Citizen Space and some are configurable to meet your organisation's requirements. This article details what some of those features are and the options available.

Configurable password policy

We can set:

  • Minimum character limits
  • For the password to require certain characters
  • And for it to avoid specific words (such as 'password')

We can also configure the on-screen help text and the validation-error message text to meet what you'd like it to say. If you'd like to have a specific password policy applied, have a read of our more detailed article about it then get in touch with your customer success manager to let them know the password policy you would like set up on your site.

2-Factor Authentication (2FA)

We can enable this on your site, which will give all admin users the option to turn on 2FA for their user account. There is also the option to have it required for all admin users which will mean that all users will have to enable it at their next log in.

2-Factor Authentication in Citizen Space uses the industry standard of time-based, one-time passcodes (also known as TOTP or OTP), and if it's enabled on your site and on a user's profile, will require the user to enter their email address and password, followed by a new passcode from their authenticator app or device each time they log in.

As 2FA requires a separate app or device to authenticate the log in process, enabling this on your site does need support from your organisation to provide your users with the means of authentication and the support and guidance to use the authenticator you have provided.

Enabling 2FA automatically enables log in back-off on your site if it is not already in place (see the log in back-off section for more info). It will also provide an extra column in your ‘Users’ export, showing which users have enabled 2FA and which have not.

Here is our guide to setting up and using 2-Factor Authentication.

Log in back-off:

This is a security setting which should allow genuine users into Citizen Space, but helps in preventing brute force attacks on the log in page. It allows us to set the number of consecutive attempts which can be made at logging in to your site and, once those are used up, there is a set back-off period between each further log in attempt. 

This is on by default for all sites on deployment, to the following settings:

After 7 initial attempts, a back-off of 5 minutes before the next log in attempt is allowed, then 10 minutes for the one after that, then 60 minutes, then 360 minutes, then 1440 minutes.

In this example, every ongoing attempt after that final one will have a 1440 minute wait between them.

If you would like to configure this with different settings, get in touch with your customer success manager to let them know:

  1. How many consecutive initial attempts should be allowed to be made at log in on your site
  2. What time blocks (in minutes) you want us to apply between each further log in attempt

Things to know:

If one of your genuine users hits the back-off limit, they can use the 'forgotten password' link to reset their password, which will then allow them to log in once they've used the password reset link correctly.

If back-off is enabled then it will also alert a user via email if a back-off limit has been hit using their email address, this email will also tell them when they are next able to log in. If it wasn't them trying to get in, then it serves as a prompt for them to take preventative action such as resetting their password.

The back-off will only apply if a correct user email address has been used, so - for security - no message appears on screen when a back-off has been hit, only the notification email mentioned above is sent.

Users who are getting their email address wrong won't experience a back-off limit. Citizen Space shows the message "Sorry, log in failed. Your email address and password are both case sensitive, please check that caps lock is off" for any attempt involving an incorrect email address or password.

Security email notifications

We've built some additional notifications into Citizen Space to let users know when security events occur on their account. These will notify admin account holders when:

  • The log in back-off has been triggered for their account 
  • Their password or email address has been changed on their Citizen Space profile

Should other people in the organisation need oversight on these events across the site, too, we can add additional recipients so they will receive these emails as well as the account holder.

Get in touch with your customer success manager if you would like these notifications enabled and if you have any other colleagues who may need to receive them as well.

Password reset date on export

There is now an additional column on the Users export which has the date and time each user's password was last reset. This allows site administrators to have oversight on when passwords are being changed and how frequently. It allows greater control should you have a password rotation policy you wish to enforce.

If the field for password reset date is blank it means the user last reset it before June 2018, (when this new column first appeared on the 'Users' export), so dates will only be included in the field when users begin changing their passwords after that point. 

Session length

A session is a single, ongoing length of time a user spends logged into Citizen Space. For example, a session starts when you log into Citizen Space and ends when you log out again.

For security reasons, the length of time Citizen Space will keep a user logged in after their last activity is restricted, so if they leave their session open (their user profile logged in) but don't do anything on the site then after a while the site will log them out automatically. On Citizen Space, the default length of time a session remains open after last activity is 10 hours, after which the site will automatically log the user out.

This length of time can be configured lower or higher within set parameters, and if you'd like to alter this then please contact your customer success manager.