Managing login security

Trimble Web Products provides several options for managing how usernames or passwords are changed or reset. You can create a template for the e-mail message that is sent to users when they forget their password and request that it be reset.

You can also change the standard security questions that users must select and answer when they register as a new user or when they have forgotten their username.

You can prevent users from ever changing their passwords, or require them to change their passwords at regular intervals. You can also require passwords that have a minimum length or a mix of character types. For example, you can specify that passwords must be at least eight characters long, and must contain at least one number and at least one non-alphanumeric character, such as & or #.

Managing the login security questions

When a user forgets their user name, a security question is presented. After one question is answered correctly, no further questions will appear. If the user cannot correctly answer at least one security question, they must contact an administrator to have their password reset.

Three sets of standard security questions are provided. This allows users to select up to three security questions and answers. If you do not want to accept the standard set of questions, you can change them by following these procedures.

Adding a security question

To add your own security question, follow these steps.

Go to Menu > Security > Work With Users > Manage Security Questions.
The Manage Security Questions page opens.
From the Question Section list, select the set of questions to which the new question should belong.
In the Question text box, enter the question.
In the Question Sequence box, type a number or character representing its position in the Active Questions list.
- You can use alpha characters to sequence the questions in the list (A, B, C).
- When using numbers for sequence identifiers, use a two-character number to correctly display 10 or more questions (01, 02, 03…10, 11, 12).
- If no sequence identifier is used, or if multiple questions have the same sequence identifier, questions with the same sequence identifier will appear in alphabetical order.
Click Add.
The question appears in the Active Questions list.
Repeat Steps 2 through 5 for each new question.

Changing the order of security questions

To change the sequence order of an active security question within its Question Section, follow these steps.

Go to Menu > Security > Work With Users > Manage Security Questions.
The Manage Security Questions page opens.
From the Question Section field, select the set to which the question belongs.
In the Active Questions field, select the question you want to change.
Click Modify.
In the Question Sequence field, change the sequence identifier.
- You can use alpha characters to sequence the questions in the list (A, B, C).
- When using numbers for sequence identifiers, use a two-character number to correctly display 10 or more questions (01, 02, 03,…10, 11, 12).
- If no sequence identifier is used, or if multiple questions have the same sequence identifier, the questions with the same sequence identifier will appear in alphabetical order.
Click Update.

Deactivating a question

To temporarily remove a security question from the list of choices, follow these steps. Deactivating a question does not affect a user who has already selected the question.

Go to Menu > Security > Work With Users > Manage Security Questions.
The Manage Security Questions page opens.
From the Question Section field, select the set to which the question belongs.
In the Active Questions field, select the question that you want to deactivate.
Click Deactivate.
The question appears in the Deactivated Questions section.

Reactivating an inactive question

To reactivate a previously deactivated security question, follow these steps.

Go to Menu > Security > Work With Users > Manage Security Questions.
The Manage Security Questions page opens.
From the Question Section field, select the set to which the question belongs.
In the Deactivated Questions section, select the question that you want to reactivate.
Click Activate.
The question appears in the Active Questions section.

Deleting a question

To delete a security question that you no longer want to use, follow these steps. You cannot delete a question that has been selected by a user on their My Profile page.

Go to Menu > Security > Work With Users > Manage Security Questions.
The Manage Security Questions page opens.
From the Question Section field, select the set to which the question belongs.
From the Deactivated Questions section, select the question you want to delete.

Note: You cannot delete an active question. You must deactivate a question before you can delete it.
Click Delete.
The question is removed from the Deactivated Questions section.

Defining password requirements

First available in Trimble Web Products 2015.3

By default, a Trimble Web Products password must be at least seven characters long. It must contain at least one non-alphanumeric character, such as @ or #. You can change these requirements, forcing users to create more complex and secure passwords. If their password does not conform to one or more requirements, a message will appear prompting them to create a new password.

To define these requirements for your system, follow these steps.

Go to Menu > Configuration > Settings Manager.
The Settings Manager page opens.
Verify [Global Settings] is the value in the Role field.
You must be in Global Settings mode to edit this setting.
Click these tabs: General > Core > Login Info.

In the Password Options section, make changes in the following fields.

Field	Definition
Password Required Length	Minimum length required for the password
Password Require Symbol Character	Select this checkbox to require users to include at least one non-alphanumeric character in their password
Password Require Numeric Character	Select this checkbox to require users to include at least one numeric character in their password
Password Require Lowercase	Select this checkbox to require users to include at least one lowercase alphabetic character in their password
Password Require Uppercase	Select this checkbox to require users to include at least one uppercase alphabetic character in their password

Field

Definition

Password Required Length

Minimum length required for the password

Password Require Symbol Character

Select this checkbox to require users to include at least one non-alphanumeric character in their password

Password Require Numeric Character

Select this checkbox to require users to include at least one numeric character in their password

Password Require Lowercase

Select this checkbox to require users to include at least one lowercase alphabetic character in their password

Password Require Uppercase

Select this checkbox to require users to include at least one uppercase alphabetic character in their password

Click Save.
A message appears at the top of the page, stating your settings were saved successfully.

Setting up the reset password feature

When users have forgotten their password and request it be reset, the system sends them an e-mail message. The message contains a hyperlink to the Reset Password page. The hyperlink includes a system-generated token, which makes it valid for only a short time, usually 15 minutes. You can change the time allowed before the link expires, and customize the e-mail message that is sent to the user.

By default, a user gets five chances to log in successfully. If their login attempts are all unsuccessful, the system locks them out for a specified period of time. The default wait time is 15 minutes.

Changing the e-mail response to a password reset request

To modify the default e-mail message that is sent to users when they request their password to be reset, follow these steps.

Go to Menu > Security > Work With Users > Manage Password Email.
The Manage Password Email page opens.
Enter or revise the e-mail message text.
1. In the Subject text box, change the default title of the password e-mail message.
2. Use the inline editing tools to format the subject line.

Enter or revise the body text for the e-mail message.

In the Body text box, enter or revise the default text.

Notes:

A variable is a system code that looks to specific data on the server. The generated message replaces the code with the specific data element.

The message in the Body text box must include the [$resetLink$]?[$resetTokenParamName$]=[$resetToken$] codes.

These variables are also used:

[$fname$]

Inserts the user’s first name

[$lname$]

Inserts the user’s last name

[$name$]

Inserts the user’s full name

[$uid$]

Inserts the user’s Trimble Web Products user name (ID)

Use the inline editing tools to format what you typed into the text box.

Click Save.

Changing the time allowed before the e-mail token expires

When users forget their password, they can request the password be reset. A message is automatically sent to the e-mail address saved in their User Profile. This message includes a link to the Reset Password page. You can change the number of minutes the link is valid. If they miss the window that the link is valid, they must again request the password be reset.

Go to Menu > Configuration > Settings Manager.
The Settings Manager page opens.
Verify [Global Settings] is the value in the Role field.
You must be in Global Settings mode to edit this setting.
Click these tabs: General > Core > Login Info.
In the Password Options section, in the Password Reset Token Expiration In Minutes field, enter the number of minutes the token is valid.
Click Save.
A message appears at the top of the page, stating your settings were saved successfully.

Specifying lockout parameters

By default, a user gets five chances to log in successfully. If, after five tries, they are still unsuccessful, the system locks them out for a specified period of time. The default wait time is 15 minutes. To change these values, follow these steps.

Go to Menu > Configuration > Settings Manager.
The Settings Manager page opens.
Verify [Global Settings] is the value in the Role field.
You must be in Global Settings mode to edit this setting.
Click these tabs: General > Core > Login Info.
In the Login Options section, in the Attempts Before Lockout field, enter the number of chances the user gets to log in successfully.
In the Lockout Minutes field, enter the number of minutes the user must wait after all login attempts have failed.
Click Save.
A message appears at the top of the page, stating your settings were saved successfully.

Preventing users from changing their password

By default, the system allows users to change their password at any time. You can disable this function, which removes the Change Password option from their user menu.

Go to Menu > Configuration > Settings Manager.
The Settings Manager page opens.
Verify [Global Settings] is the value in the Role field.
You must be in Global Settings mode to edit this setting.
Click these tabs: General > Core > Login Info.
In the Password Options section, clear the Enable Change Password checkbox.
Click Save.
A message appears at the top of the page, stating your settings were saved successfully.

Setting up password expiration

By default, users' passwords never expire. If you want to force them to change their passwords at regular intervals, follow these steps.

If you do not want to force users to change their passwords, leave these fields blank.

Go to Menu > Configuration > Settings Manager.
The Settings Manager page opens.
Verify [Global Settings] is the value in the Role field.
You must be in Global Settings mode to edit these settings.
Click these tabs: General > Core > Login Info.
In the Password Options section, in the Days Before Password Expires field, enter the interval number in days.
In the Password Options section, in the Days Before Password Warns about Expiration field, enter the number of days before the expiration date that you want users to receive a Password Expiration Warning.

Until a user changes their password, they will receive a warning each time they log in.

If the password has already expired, the Change Password page automatically opens when they login. This forces them to change their password before accessing the application.
Click Save.
A message appears at the top of the page, stating your settings were saved successfully.

Setting the page to open after logout

The Alternate Logout Page setting controls the following:

When a person logs out of Trimble Web Products, or the system times out due to lack of activity, the login page is displayed. This setting changes the next page the user sees after logout.
When a person logs back in again, the system defaults to opening the last page they were viewing. This setting opens their default landing page or the identified URL instead.

To change the page that opens when one of these situations occurs, follow these steps.

Go to Menu > Configuration > Settings Manager.
The Settings Manager page opens.
Verify [Global Settings] is the value in the Role field.
Note: You must be in Global Settings mode to edit this setting.
Click these tabs: General > Core > Login Info.
In the Login Options section, in the Alternate Logout Page field, enter the valid absolute URL address of the page.
Click Save.
A message appears at the top of the page, stating your settings were saved successfully.

Note: If the address is not complete or not valid, this message displays: Alternate logout URL must be a valid absolute URL