Skip to content

Authentication Settings Administration

Overview

KrakenHashes provides robust authentication settings to ensure system security. This document covers the configuration of password policies, account security settings, and multi-factor authentication (MFA) options.

Password Policy

The password policy settings define the requirements for user passwords across the system.

Configuration Options

  1. Minimum Password Length
  2. Default: 15 characters
  3. Must be a positive integer
  4. Recommended: 15+ characters minimum

  5. Enforced during password creation and changes

  6. Character Requirements

  7. Require Uppercase Letters: When enabled, passwords must contain at least one uppercase letter (A-Z)
  8. Require Lowercase Letters: When enabled, passwords must contain at least one lowercase letter (a-z)
  9. Require Numbers: When enabled, passwords must contain at least one number (0-9)
  10. Require Special Characters: When enabled, passwords must contain at least one special character (!@#$%^&*(),.?":{}|<>)

Best Practices

  • Enable all character requirements for maximum security
  • Balance security with usability when setting minimum length
  • Consider industry standards (NIST, OWASP) when configuring
  • Document password requirements clearly for users

Account Security

Account security settings manage login attempts, session duration, and security notifications.

Configuration Options

  1. Maximum Failed Login Attempts
  2. Default: 5 attempts
  3. Defines how many failed login attempts are allowed before account lockout
  4. Must be a positive integer

  5. Recommended range: 3-5 attempts

  6. Account Lockout Duration

  7. Default: 60 minutes
  8. Duration in minutes before a locked account is automatically unlocked
  9. Must be a positive integer

  10. Affects accounts locked due to exceeded login attempts

  11. JWT Token Expiry

  12. Default: 60 minutes
  13. Duration in minutes before an authentication token expires
  14. Forces users to re-authenticate after expiration

  15. Balances security with user convenience

  16. Notification Aggregation Interval

  17. Default: 60 minutes
  18. How often to aggregate and send security notifications
  19. Prevents notification fatigue while maintaining awareness
  20. Groups similar security events within the interval

Best Practices

  • Adjust lockout duration based on threat model
  • Consider user experience when setting token expiry
  • Monitor failed login attempts for attack patterns
  • Review security notifications regularly

Multi-Factor Authentication (MFA) Settings

MFA provides an additional layer of security beyond passwords.

General Settings

  1. Require MFA for All Users
  2. Toggle to enforce MFA across all user accounts
  3. To enable an email provider must be configured as email is the default MFA
  4. Affects new and existing users

Allowed MFA Methods

The system supports multiple MFA methods:

  1. Email Authentication
  2. Sends verification codes to user's registered email
  3. Requires configured email provider

  4. Good balance of security and convenience

  5. Authenticator Apps

  6. Compatible with standard TOTP authenticator apps
  7. More secure than email-based authentication
  8. Works offline once configured

  9. Examples: Bitwarden, Google Authenticator, Authy, Microsoft Authenticator

  10. Passkey (Future Feature)

  11. Currently disabled
  12. Will support FIDO2/WebAuthn standard
  13. Provides highest security level
  14. Requires compatible hardware/devices

Code Settings

  1. Email Code Validity
  2. Default: 5 minutes
  3. How long email-based MFA codes remain valid
  4. Must be at least 1 minute

  5. Balance security with delivery delays

  6. Code Cooldown Period

  7. Default: 1 minute
  8. Minimum time between code requests
  9. Prevents code request spam

  10. Must be at least 1 minute

  11. Code Expiry Time

  12. Default: 5 minutes
  13. How long codes remain valid after generation
  14. Applies to all MFA methods

  15. Should account for potential delays

  16. Maximum Code Attempts

  17. Default: 3 attempts
  18. Maximum invalid code entries before invalidation
  19. Requires new code generation after exceeded

  20. Prevents brute force attacks

  21. Number of Backup Codes

  22. Default: 8 codes
  23. One-time use backup codes for account recovery
  24. Must be at least 1 code
  25. Recommended: 8-10 codes

Best Practices

  1. MFA Implementation
  2. Consider enforcing MFA for all users
  3. Enable multiple MFA methods for flexibility
  4. Educate users about backup codes importance

  5. Regular review of MFA settings

  6. Code Security

  7. Keep validity periods short (5-15 minutes)
  8. Implement reasonable cooldown periods
  9. Limit invalid attempts

  10. Generate sufficient backup codes

  11. User Experience

  12. Clear communication about MFA requirements
  13. Document recovery procedures
  14. Train support staff on MFA issues

  15. Regular testing of MFA workflows

  16. Monitoring and Maintenance

  17. Regular review of MFA logs
  18. Monitor failed MFA attempts
  19. Update settings based on security needs
  20. Keep documentation current

Troubleshooting

Common Issues

  1. Users Unable to Enable MFA
  2. Verify email provider configuration
  3. Check user permissions
  4. Confirm supported authenticator app

  5. Review error messages

  6. Locked Accounts

  7. Verify lockout duration settings
  8. Check failed attempt count
  9. Review security logs

  10. Consider administrative unlock

  11. MFA Code Issues

  12. Verify code validity period
  13. Check cooldown period
  14. Confirm correct email delivery

  15. Review time synchronization

  16. Password Policy Problems

  17. Review current policy settings
  18. Check character requirement conflicts
  19. Verify minimum length appropriateness
  20. Consider user feedback