This help file describes the strong security validations implemented for safeguarding user information in ARC Facilities. The security validations are concerned with enforcing users to set up complex passwords and requiring users to pass through a two-step authentication procedure (where user needs to enter complex password as well as a PIN no. to access the application).


Where to set up complex password and two-step authentication: Click Settings menu button > Click Account Settings on the menu > Go to Password Settings tab on the Account Settings screen


Note: Only Account admin can set up complex password and two-step authentication. Other users of the account like employee users, shared users or lite users must set up complex password and/or PIN during logging in to the application. 


The password settings tab is shown in the screenshot below,

Password expiration days selection:

Admin user can select the number of the days after which the password to access the account will expire. Account user will get warning message to reset password 10 days prior to expiration after login. User can choose to make the password 'never expire' or expire in 30 days, 90 days, 6 months or 1 year.

Password expiration warning message:

“Your password will expire in 10 days. Click here to Reset Now.”


Setting up complex password:

Account admin can opt for creation of complex password for an account. When account admin selects this option, all users on the account must have a password that meets the minimum criteria.

Complex password is a pre-defined set of word/special characters/ number which is defined in ARC FACILITIES, it will be global for all users of the account.

Complex password consists of following minimum criteria:

  • 8 or more characters in length
  • At least one UPPER letter must exist
  • At least one LOWER case letter must exist
  • At least one number (1234567890) or special character (!@#$%^&*) must exist

Complex password activation:

Account admin can opt for complex password under Password settings tab on the Settings screen.

Screenshot highlighting the complex password setup checkbox:

  1. Once Account admin selects the “Require Complex Password” checkbox and clicks [Save] button, the application will display a message box asking the user to reset the current password. The notification will be “Password policy has been successfully updated. Please reset your password now.”
  2. Click “Reset Password” button to reset your current password into a complex password. User will be logged out of the application and navigated to "Update Password" screen.

        Screenshot displaying update password screen:


        3. User will have to enter the old password and then enter the new password twice (for confirmation) based on the complex password policy and                 then click the [Submit] button such that the user will be redirected to the ‘Log in’ screen.


If he/she fails to enter the new password as per the complex password policy then he/she will not be able to update/save the new password. He/she will have to mandatorily reset the password.

Error scenarios:

  • If user does not enter any new password and by mistake clicks the [Submit] button, then the following message is displayed “Required field(s) cannot be empty”.
  • If user fails to enter the same password twice (when entering new password) and clicks the [Submit] button, then the following message is displayed Your new password and confirmation do not match. Please try again.”


        4. On the log-in screen user will have to enter his/her user name or email and the new complex password to access his/her account.


Note: If user has updated the password for 5 times previously and on the 6th time enters the new updated password as one of the previously user password then the following message is displayed “Cannot use recent five passwords. Please try again.”


Session ended for logged in users after complex password enablement:

If password policy is modified by admin then existing users who are already logged in to the same account, will be logged out of their account (session ended). When next time these users try to log-in, application will prompt the users to update their password as per the new complex password policy. This is applicable for all active session users – employee users logged in to the same account through device, sync, web & outlook.


Account (employee) user logging in after account admin has enabled complex password:

The account users will first reach the log-in screen, where after entering the current password, application will re-direct the users to the update password screen and will display a message Your account’s security settings have been updated by your admin. Your password must now be updated. Hence, these users will have to update their password as per the new complex password policy.


Note: After the account becomes password policy enabled-account, user must make sure all device/sync/outlook plug-in version of ARC FACILITIES is the latest version. If not, then user will have to download the latest version from the appropriate location. Otherwise, user will not be able to login to his/her account.


Security Questions & Answers

After account admin sets the complex password and/or PIN number, then logs into his/her account, the application will display a message asking the user to set security questions.


This message is shown in the screenshot below,

  1. Click [Update security information] button to navigate to the Edit Profile screen in order to set the security questions.


Screenshot displaying the Edit Profile screen with security questions [highlighted in screenshot below]:

The account users can select 1, 2 or 3 security questions from a pool of 15 questions and enter the answers of the selected questions in free text.


User can set a maximum of three (3) security questions; enter answers to the 3 selected questions in free text from the My Profile screen. User can set a minimum of one question & a maximum of three questions or can choose to not set up any question at all. Security questions (if set) need to be answered in case of wrong entry of complex password or wrong entry of PIN.


Note: The security questions will appear only after complex password and/or two-step verification is enabled.


Selecting security questions & entering answers:

Each user can select a minimum of one question and a maximum of three questions and enter the answers of those selected questions. They can select from a list of 15 possible questions and enter their answers in free text.

I. In what city or town did you meet your spouse/partner?

II. What is the name of your first boyfriend/girlfriend?

III. In what city, did you have your first kiss?

IV. What was the make/model of your first car?

V. What street did you grow up on?

VI. Which phone number do you most remember from your childhood?

VII. What was your favorite place to visit as a child?

VIII. Who was your favorite actor, musician, or artist as a child?

IX. What was the name of your first stuffed animal/doll/action figure?

X. What is the name of your first-grade teacher?

XI. In what city or town did your mother and father meet?

XII. In what town or city was your first full time job?

XIII. Who was your childhood hero?

XIV. What was your favorite sport in high school?

XV. What was the name of the company where you had your first job?

        2. After selecting the questions and entering appropriate answers click on [Save] button to enable the security questions.


If user selects the same security question more than once, then the following error message is displayed “Security questions cannot be the same.” and the application will not allow the saving of the security questions along with answers. After setting up the questions user can continue with normal work in the application.


Setting up two-step verification

The account admin can opt for two step security verification for advanced and upgraded security. Admin user can tick the checkbox 'Require two-step authentication' under the Password Settings tab [highlighted in screenshot below] and then click the [Save] button to initiate & enable the two-step verification process.


Scenario 1: Complex password already enabled before enabling two-step verification

As complex password is already enabled before enabling two-step verification user has to only set up a new PIN number.

After admin user enables the two-step verification authentication, the application will display a message box asking the user to set up new PIN number. The notification will be “Two-Step Verification has been successfully activated. Please assign your Personal Identification Number (PIN) now.”

Screenshot displaying the message:


    1. Click “Set PIN” button to configure a new PIN number. User will be logged out of the application and navigated to Update PIN screen.

Screenshot displaying the Update PIN screen:

    2. Enter the current complex password (as this password in previously set beforehand), then enter the new PIN number twice (for confirmation)


Note:The PIN length should be 4 digits only.


Error scenarios:

If user enters a different new and confirmed PIN number then the following message is displayed Your new PIN and confirmation do not match. Please try again.”

If user enters the wrong current password, the application displays the message “Entered password in invalid”


    3. After user updates the PIN and clicks the [Submit] button he/she will be redirected to the ‘Log in’ screen.

    4. On the log-in screen user will first have to enter his/her user name or email and the complex password to proceed to the PIN verification screen.

    5. On the Verify your identity screen, user will have to enter the PIN number to finally access the account (i.e. land on the Common login screen)


Tip: Accessing the account after enabling two-step verification is given here.


Scenario 2: Complex password not enabled before enabling two-step verification

As soon as user selects the two-step verification process, the complex password checkbox becomes automatically selected/enabled. User will not be able to disable the complex password checkbox after enabling two-step verification.

The two-step verification process involves setting the complex password and then setting a PIN number.


1. After admin user enables the two-step verification authentication and clicks [Save] button, the application will display a message box asking the user to reset the current password.

 

The notification will be “Password policy has been successfully updated. Please reset your password now.”

Screenshot displaying the message:

    2. Click “Reset Password” button to reset your current password into a complex password. User will be logged out of the application and navigated             to Update Password screen.


Screenshot displaying update password screen:


    3. Account admin will have to enter the old password and then enter the new password twice (for confirmation) based on the complex password                     policy.

    4. After updating the new password, click on [Submit] button to move to the Update PIN screen.


Screenshot displaying the Update PIN screen:

    5. On this screen, enter & re-enter a new PIN (for confirmation)


Note: The PIN length should be 4 digits only.

After setting the new complex password & PIN, admin user is automatically logged out of the application. Hence, the admin user will have to log-in again to access the application by entering the new complex password and new PIN number.


6. After user updates the PIN and clicks the [Submit] button he/she will be redirected to the ‘Log in’ screen.

7. On the log-in screen user will first have to enter his/her user name or email and the complex password to proceed to the PIN verification screen.

8. On the Verify your identity screen, user will have to enter the PIN number to finally access the account (i.e. land on the Common login screen)


Tip: Accessing the account after enabling two-step verification is given here.


User logging in after enabling two-step verification

User will reach the log-in screen after updating the new complex password & new PIN number.


    1. User will have to enter log-in credentials (username & complex password) on the log-in screen (sign in screen) to access the application after         enabling two-step verification.


Screenshot displaying the log-in screen:

After successful entry of the username & new complex password, application redirects the user to the Verify your identity screen which is the PIN entry screen.


Screenshot displaying the PIN entry screen:

2. Enter the new PIN Number

3. After successfully entering the PIN number, user can choose to select the checkbox “Trust this computer when I sign in” under Security         Preference heading


User trusts this computer:

  • If user selects the checkbox “Trust this computer when I sign in”, then user will only have to enter user ID & complex password to access the application during login from next time onwards, no PIN number entry is required (even if two-step authentication is enabled)


Note - If user is logging in to the application with different system OR different browser in the same computer then application will re-confirm security preference.


User doesn’t trust this computer:

  • If user does not select the checkbox “Trust this computer when I sign in”, then user has to enter the PIN number after entering the log-in credentials (user ID & complex password) to access the account. By default, this checkbox will appear not selected.


    4. In the end, click on [Submit] button to access the application.


Session ended for logged in users after two-step verification enablement

Any employee user active on the account for which the account admin has changed the password will be logged out (session ended) of his/her account. The active account user will be logged out of his/her account (when admin user enables two-step verification & complex password) even when he/she is accessing the account through device (phone or tablet) or sync application.


Account (employee) user logging in after account admin has enabled two-step verification

When account (employee) user logs in for the first time after two-step verification in enabled, he/she will first enter his/her account log-in credentials. As account admin has already changed the account password and set a new PIN, employee user will receive a message stating that “Your account password has been reset & new account PIN set by the account admin, so please update your account password & PIN”.


The employee user will now be redirected to the Update Password screen. After setting the new password, user is navigated to Update PIN screen. After setting the new password & PIN, user will be re-directed to the log-in screen again. Hence, after entering the new complex password & new PIN user will be able to access his/her account.

After entering the application user will receive a message to select and answer security questions. This alert will come if complex password is enabled but security questions are not set. User will have to set the security questions and provide answers to those questions from the ‘My Profile’ screen and then continue working on the application.


Wrong password entry (in case two-step verification is enabled):

    1. User opens the log-in screen of the application, enters the email ID and then enters the wrong password


Screenshot displaying the first invalid login attempt:

    2. User enters the wrong password for three (3) times

After the third attempt i.e. on the fourth & fifth attempt, application displays a random security question out of the 3 security questions set from My Profile screen (the security questions will appear only if the security questions are selected & answered by the account admin in the My Profile screen).


Application displays the number of invalid login attempts made and the number valid attempts left on the message at the top of the screen.


Note:

  • Total number of log-in attempts is set to 5, after expiration of log-in attempt, the account will be locked. The security questions appear on the fourth & fifth attempt.
  • The counting of invalid login will appear & account lock will happen only if strong password policy and/or two step verification is enabled.


Screenshot displaying the security question on the log-in screen on the penultimate (forth) attempt:

Now, user will have to enter the correct password as well as the correct answer to the security question in order to proceed further.

If the account does not have security questions configured, then the application will not display any security question and user will is allowed to attempt the correct password entry for five times.


    3. User enters the wrong password or wrong answer to the security question or both wrong password & answer for two more times after the third             attempt (i.e. a total of 5 times wrong password entry)


Application displays a message - “Your account has been locked due to too many invalid login attempts. A reset password link has been sent to the registered email. Please follow the email instructions to unlock and access your account.”


Screenshot below displays the locked account message:

Note: The account lock will remain for few hours and only after the elapsed period can user log-in to his/her account. The lock automatically expires after a certain period if in the meantime user does not choose to reset password from the email send. 

An email will be send to user registered email along with reset password link.


Screenshot displaying the ‘reset password’ link in email: 


    4. User opens the email and clicks the password retrieval link in the email

    5. After clicking the link, application navigates user to a screen where he/she will have enter a new password twice (for confirmation) and provide                 answer to a randomly selected question. The randomly selected question is one out of the three questions selected and answers entered by the user         in the ‘My profile’ screen.


Screenshot displaying the update password screen with security question:

If user enters a wrong answer to the security question, then the following message is displayed "Answer to your security question is incorrect. Please try again". This is shown below,

After user successfully answers the question, enters a new password (twice) and then clicks [Save password] button, he/she will be redirected to the log-in screen.


    6. User enters the log-in credentials (correct complex password entered this time)


Application redirects the user to the PIN code entering screen.


    7. User enters the correct PIN code


User successfully enters the application.

Note: The security question appears only if user has configured or set the security questions & associated answers from the ‘My Profile’ screen.


Wrong PIN code entry (in case two-step verification is enabled):

    1. User opens the log-in screen of the application

    2. User enters the user name or email ID and the correct complex password


After user successfully enters the log-in credentials he/she will be redirected to the PIN code entering screen.


    3. User enters the incorrect PIN on first attempt

Screenshot displaying the first invalid login attempt:

    4. User enters the wrong PIN code for three consecutive times (thrice)


After the third attempt i.e. on the fourth & fifth attempt, application displays a random security question out of the 3 security questions set from My Profile screen (the security questions will appear only if the security questions are selected & answered by the account admin in the My Profile screen). Application also displays a message with number of invalid login attempts made and the number valid attempts left at the top of the screen.


Note: Total number of PIN entry attempts is set to 5, after expiration of PIN entry attempts, the account will be locked. The security questions appear after the third attempt.


Screenshot displaying the security question on the PIN entering screen on the penultimate (forth) attempt:

User enters the wrong PIN code or wrong answer to the security question or both wrong answer and wrong PIN for two more times after the third attempt.

Application displays a message - “Your account is locked due to invalid login attempt. A reset PIN login link has been sent to your email. Please follow the email instruction to unlock your account.”


Screenshot displaying the message:

Note: The account lock will remain for few hours and only after the elapsed period can user log-in to his/her account. The lock automatically expires after a certain period if in the meantime user does not choose to reset PIN from the email send.

 An email will be send to user registered email along with reset PIN link.


Screenshot displaying the ‘Reset PIN’ link in email: 

    5. User opens the email and clicks the PIN code retrieval link in the email


Application navigates user to a screen where he/she will have to enter the complex password the new PIN twice (for confirmation).

Screenshot displaying the ‘Reset PIN’ screen:

    6. User enters the current complex password, new PIN twice (for confirmation). If user enters the wrong password the following message is displayed     “Entered password in invalid”


After resetting the PIN code, user will be redirected to the log-in screen.


    7. User enters the log-in credentials (username or email and complex password)


Application redirects the user to the PIN code entering screen.


    8. User enters the correct PIN code


User successfully enters the application.


Info:

  • After successfully logging in to account or resetting password/updating password invalid attempt count will be reset to zero.
  • In case of two-step verification enabled account, token will be valid only if two-step verification process is completed. 
  • The security question appears only if user has configured or set the security questions & associated answers from the ‘My Profile’ screen.

User forgets PIN

User can reset PIN if he/she forgets PIN no. from the PIN entering screen.

  • Click the “Forgot PIN?” link on the PIN entering screen.


A message is displayed at the top of the screen which states “An email with a link to reset your PIN has been sent to you”.

Screenshot displaying the message at the top of the screen:

  • Open the mail box and view the Reset PIN Request email

Screenshot displaying the PIN reset email:

  • Click the reset PIN link to navigate to the Reset PIN screen.

Screenshot displaying the Reset PIN screen:

From the Reset PIN screen, user will have to enter the complex password first, then set a new PIN number and then proceed to access the application.


User trusts computer but PIN code locked from device

In a scenario, where user has selected the security preference - “Trust this computer when I sign in” option then even if two-step authentication is enabled, the application will not ask for PIN from the user. This security preference will work if user logs in to his/her account from the same computer using the same browser.


But since this scenario is system (device) & browser specific, then if user tries to log in to his/her account from another device, but fails to do so due to wrong entry of PIN code, then his account will be locked. A reset PIN mail will be send to user’s registered email ID.


Meanwhile, when the account is still in locked state, when user tries to log-in to his/her account from web, the after entering log-in credentials (username & password) a message will be displayed to the user “Your account has been locked, reset PIN mail send to your email ID, please reset PIN to access account”User will have to enter his/her email ID, click on the reset PIN link and navigate to the Reset PIN screen. On this screen user will have to enter the current password & enter a new PIN twice (for confirmation).


Screenshot displaying the security question and PIN reset screen:

After resetting the PIN, user can access the application.


Account lock from multiple device

Invalid login attempt count will be consider globally, like, invalid attempt from web, then invalid attempt from sync and then from device, in this case total invalid attempt will be 5 and account lock is initiated.


Account lock can happen if user fails to log-in to the same account for five times from multiple device. For example,

  1. User tries to first log-in to his/her account from website, enters wrong password once. The application will count this as the first failed log-in attempt.
  2. User then tries to log-in to the same account from device three more times, again enters wrong password thrice. The application will count this as three more failed log-in attempt.
  3. User tries to log-in to his/her account from sync app, and once again enters wrong password. This application will count this as the fifth failed log-in attempt and consequently the account will be locked.
  4. Application displays a message on the current device screen - “Your account is locked due to invalid login attempt. A reset password link has been sent to your email. Please follow the email instruction to unlock your account.”
  5. An email will be send to user registered email along with reset password link.


Note: The account lock can happen for wrong entry of PIN code five times from multiple devices as well.


Password/PIN update from inside application

User can update password or PIN from the My Profile screen.

  • Click My Profile button (at the top navigation bar on the right-side) and then click My Profile menu button on the opened menu


Now, the My Profile screen will appear.

Screenshot displaying the My Profile screen:

Password change:

If password change is required, then click 'Change password' link to expand the Login info section.

Screenshot below displays the Change password section:

  • Enter the current password and then the new password (twice) and then click [Update] button to save the new password.


PIN change:

If PIN change is required, then click 'Change pin' link to open the Change pin pop-up box.


Note: The 'Change pin' link appears only if two-step verification is enabled.

Screenshot below displays the Change pin pop-up box:

  • Enter the current password and then the new PIN (twice for confirmation) and then click [Save changes] button to save the new PIN.


Any new password or PIN entry should be as per the complex password policy; otherwise the new password/PIN will not be saved. This new password or PIN will override the existing complex password or PIN.


New user activation – instruction with password format

Any current user of ARC FACILITIES can send campus invitation to users who are not registered with ARC FACILITIES. 

When the account admin sends campus invitation (by adding users in the team of the campus to be shared as new team members) to new users, these new users could be of two types: Employee or Shared


New 'Employee' user getting campus invitation:

The invited users will receive campus access link in their email ID (the email ID which is entered by the account admin while creating the new users). On clicking link, received in the email, application will redirect the invited user to the Account Activation screen (if the user is added to the team of the campus which is being shared as an employee user i.e. the campus is shared to an employee user). The screen will show instructions describing the format of password that he/she needs to enter (this is in case the complex password policy & two-step verification is enabled in the account of the user who shared the campus).


Screenshot displaying the Account Activation screen for an invited user (to be added as an employee) who does not have an ARC Facilities account:


After setting up the new complex password and clicking the [Sign in] button, user will be navigated to the Update PIN screen. This screen is shown below,

After setting the new PIN, the invited employee user (new user) will be able to enter the ARC FACILITIES application with access to the shared campus.


New 'Shared' user getting campus invitation:

The invited users will receive campus access link in their email ID (the email ID which is entered by the account admin while creating the new users). On clicking link, received in the email, application will redirect the invited user to the Campus invitation screen (if the user is added to the team of the campus which is being shared, as a shared user i.e. the campus is shared to an shared user).

 

Screenshot displaying the Campus invitation screen for an invited user (to be added as a shared user) who does not have an ARC Facilities account:

The shared user does not need to set up a complex password or PIN even if two-step authentication is enabled in the account of the user who shared the campus. 


The shared user will simply enter a normal password (without matching the criteria of complex password) and click the [Sign in] button to enter the application. The shared user will only get access to the campus which has been shared to him/her. A shared user will not have access to campus settings and campus team.


Existing user getting campus invitation:

Existing account users when added to the campus team will also receive campus access invitation link in his/her registered email ID. These type of users will directly land on the log-in screen through the campus share link in the email. The user will have enter his/her existing password & PIN to accept the campus invitation. If the account of the user to whom the campus has been shared is complex password & two-step verification enabled, then the user will have to enter complex password and PIN to accept the campus share.


Screenshot displaying campus invitation screen for an existing user:

Failing to enter complex password three times, will result into security questions appearance. Failing to answer the security question & password can result into account locking. The same scenario is application for PIN entering which comes after successful entering of complex password.


Password policy implementation on custom log-in screen:

The password policy will work similarly on a custom log-in screen as it works on a normal log-in screen. The custom log-in screen appears if user has bought the log-in theme from the Account settings screen inside the application.