Skip to content

Authentication Settings Administration

Overview

KrakenHashes provides robust authentication settings to ensure system security. This document covers the configuration of password policies, account security settings, and multi-factor authentication (MFA) options.

Password Policy

The password policy settings define the requirements for user passwords across the system.

Configuration Options

  1. Minimum Password Length
  2. Default: 15 characters
  3. Must be a positive integer
  4. Recommended: 15+ characters minimum

  5. Enforced during password creation and changes

  6. Character Requirements

  7. Require Uppercase Letters: When enabled, passwords must contain at least one uppercase letter (A-Z)
  8. Require Lowercase Letters: When enabled, passwords must contain at least one lowercase letter (a-z)
  9. Require Numbers: When enabled, passwords must contain at least one number (0-9)
  10. Require Special Characters: When enabled, passwords must contain at least one special character (!@#$%^&*(),.?":{}|<>)

Best Practices

  • Enable all character requirements for maximum security
  • Balance security with usability when setting minimum length
  • Consider industry standards (NIST, OWASP) when configuring
  • Document password requirements clearly for users

Account Security

Account security settings manage login attempts, session duration, and security notifications.

Configuration Options

  1. Maximum Failed Login Attempts
  2. Default: 5 attempts
  3. Defines how many failed login attempts are allowed before account lockout
  4. Must be a positive integer

  5. Recommended range: 3-5 attempts

  6. Account Lockout Duration

  7. Default: 60 minutes
  8. Duration in minutes before a locked account is automatically unlocked
  9. Must be a positive integer

  10. Affects accounts locked due to exceeded login attempts

  11. JWT Token Expiry (Sliding Window Sessions)

  12. Default: 60 minutes
  13. Base duration for authentication sessions
  14. Sliding Window Behavior: Sessions automatically extend when you're actively using the system. The session refreshes after ⅓ of the session time (e.g., 20 minutes for a 60-minute session) when you perform actions like navigating between pages.
  15. Activity-Based Extension: Only actual user actions trigger session extension. Background polling, auto-refresh, and SSE streams do not extend the session.
  16. Grace Period: When a session refreshes, the old token remains valid for 5 minutes to handle concurrent requests from multiple browser tabs.
  17. If you remain idle for the full session duration, you'll need to re-authenticate

  18. Balances security with user convenience

  19. Notification Aggregation Interval

  20. Default: 60 minutes
  21. How often to aggregate and send security notifications
  22. Prevents notification fatigue while maintaining awareness
  23. Groups similar security events within the interval

Best Practices

  • Adjust lockout duration based on threat model
  • Consider user experience when setting token expiry
  • Monitor failed login attempts for attack patterns
  • Review security notifications regularly

Multi-Factor Authentication (MFA) Settings

MFA provides an additional layer of security beyond passwords.

General Settings

  1. Require MFA for All Users
  2. Toggle to enforce MFA across all user accounts
  3. To enable an email provider must be configured as email is the default MFA
  4. Affects new and existing users

Allowed MFA Methods

The system supports multiple MFA methods:

  1. Email Authentication
  2. Sends verification codes to user's registered email
  3. Requires configured email provider

  4. Good balance of security and convenience

  5. Authenticator Apps

  6. Compatible with standard TOTP authenticator apps
  7. More secure than email-based authentication
  8. Works offline once configured

  9. Examples: Bitwarden, Google Authenticator, Authy, Microsoft Authenticator

  10. Passkey (WebAuthn/FIDO2)

  11. Supports FIDO2/WebAuthn standard
  12. Provides highest security level
  13. Works with security keys (YubiKey), platform authenticators (Windows Hello, Face ID, Touch ID), and password managers (Bitwarden, 1Password)
  14. Requires WebAuthn-compatible browser and configured RP ID
  15. Note: WebAuthn does NOT support IP addresses as RP IDs - requires domain name

WebAuthn Configuration

Before users can register passkeys, administrators must configure WebAuthn settings in the Authentication Settings page:

  1. Relying Party ID (RP ID)
  2. Domain name where KrakenHashes is hosted
  3. Examples: localhost (dev), krakenhashes.example.com (prod)
  4. Cannot be an IP address (WebAuthn specification limitation)

  5. Warning: Once set and credentials registered, changing this will invalidate all existing passkeys

  6. Allowed Origins

  7. Full URLs where the application is accessed
  8. Examples: https://localhost:3000, https://krakenhashes.example.com

  9. Include all URLs users might use to access the system

  10. Display Name

  11. Friendly name shown during passkey registration
  12. Default: "KrakenHashes"

Code Settings

  1. Email Code Validity
  2. Default: 5 minutes
  3. How long email-based MFA codes remain valid
  4. Must be at least 1 minute

  5. Balance security with delivery delays

  6. Code Cooldown Period

  7. Default: 1 minute
  8. Minimum time between code requests
  9. Prevents code request spam

  10. Must be at least 1 minute

  11. Code Expiry Time

  12. Default: 5 minutes
  13. How long codes remain valid after generation
  14. Applies to all MFA methods

  15. Should account for potential delays

  16. Maximum Code Attempts

  17. Default: 3 attempts
  18. Maximum invalid code entries before invalidation
  19. Requires new code generation after exceeded

  20. Prevents brute force attacks

  21. Number of Backup Codes

  22. Default: 8 codes
  23. One-time use backup codes for account recovery
  24. Must be at least 1 code
  25. Recommended: 8-10 codes

Best Practices

  1. MFA Implementation
  2. Consider enforcing MFA for all users
  3. Enable multiple MFA methods for flexibility
  4. Educate users about backup codes importance

  5. Regular review of MFA settings

  6. Code Security

  7. Keep validity periods short (5-15 minutes)
  8. Implement reasonable cooldown periods
  9. Limit invalid attempts

  10. Generate sufficient backup codes

  11. User Experience

  12. Clear communication about MFA requirements
  13. Document recovery procedures
  14. Train support staff on MFA issues

  15. Regular testing of MFA workflows

  16. Monitoring and Maintenance

  17. Regular review of MFA logs
  18. Monitor failed MFA attempts
  19. Update settings based on security needs
  20. Keep documentation current

Troubleshooting

Common Issues

  1. Users Unable to Enable MFA
  2. Verify email provider configuration
  3. Check user permissions
  4. Confirm supported authenticator app

  5. Review error messages

  6. Locked Accounts

  7. Verify lockout duration settings
  8. Check failed attempt count
  9. Review security logs

  10. Consider administrative unlock

  11. MFA Code Issues

  12. Verify code validity period
  13. Check cooldown period
  14. Confirm correct email delivery

  15. Review time synchronization

  16. Password Policy Problems

  17. Review current policy settings
  18. Check character requirement conflicts
  19. Verify minimum length appropriateness
  20. Consider user feedback