This help file describes the strong security validations implemented for safeguarding user information in ARC Facilities. The security validations are concerned with enforcing users to set up complex passwords and requiring users to pass through a two-step authentication procedure (where the user needs to enter the complex password as well as a PIN no. to access the application).
Where to set up a complex password and two-step authentication: Click Settings menu button > Click Account Settings on the menu > Go to the Password Settings tab on the Account Settings screen
Note: Only the Account admin can set up a complex password and two-step authentication. Other users of the account like employee users, shared user must set up a complex password and/or PIN during logging into the application after the account is complex password and two-step authentication enabled.
The password settings tab is shown in the screenshot below,
Password expiration days selection:
Admin users can select the number of days after which the password to access the account will expire. The account user will get a warning message to reset the password 10 days prior to expiration after login. User can choose to make the password 'never expire' or expire in 30 days, 90 days, 6 months, or 1 year.
Password expiration warning message:
“Your password will expire in 10 days. Click here to Reset Now.”
Setting up a complex password:
Account admin can opt for the creation of a complex password for an account. When the account admin selects this option, all users on the account must have a password that meets the minimum criteria.
A complex password is a pre-defined set of words/special characters/numbers which is defined in ARC FACILITIES, it will be global for all users of the account.
The complex password consists of the following minimum criteria:
- 8 or more characters in length.
- At least one UPPERCASE letter must exist.
- At least one number (1234567890) or special character (!@#$%^&*) must exist.
Complex password activation:
Account admin can opt for a complex password under the Password settings tab on the Settings screen.
Screenshot highlighting the complex password setup checkbox:
- Once the Account admin selects the “Require Complex Password” checkbox and clicks on the [Save] button, the application will display a message box asking the user to reset the current password. The notification will be “Password policy has been successfully updated. Please reset your password now.”
- Click on the “Reset Password” button to reset your current password into a complex password. The user will be logged out of the application and navigated to the "Update Password" screen.
Screenshot displaying update password screen:
3. User will have to enter the old password and then enter the new password twice (for confirmation) based on the complex password policy and then click on the [Submit] button such that the user will be redirected to the ‘Log in’ screen.
If he/she fails to enter the new password as per the complex password policy then he/she will not be able to update/save the new password. He/she will have to mandatorily reset the password.
Error scenarios:
- If the user does not enter any new password and by mistake clicks on the [Submit] button, then the following message is displayed “Required field(s) cannot be empty”.
- If the user fails to enter the same password twice (when entering a new password) and clicks the [Submit] button, then the following message is displayed “Your new password and confirmation do not match. Please try again.”
4. On the log-in screen user will have to enter his/her username or email and the new complex password to access his/her account.
Note: If a user has updated the password for 5 times previously and on the 6th time enters the newly updated password as one of the previously used passwords then the following message is displayed “Cannot use recent five passwords. Please try again.”
Session ended for logged in users after complex password enablement:
If the password policy is modified by the admin then existing users who are already logged in to the same account will be logged out of their account (session ended). When next time these users try to log in, the application will prompt the users to update their password as per the new complex password policy. This is applicable for all active session users – employee users logged in to the same account through device, sync, web & outlook.
Account (employee) user logging in after account admin has enabled complex password:
The account users will first reach the log-in screen, where after entering the current password, the application will redirect the users to the update password screen and will display a message “Your account’s security settings have been updated by your admin. Your password must now be updated.” Hence, these users will have to update their password as per the new complex password policy.
Note: After the account becomes a password policy enabled-account, a user must make sure all device/sync/outlook plug-in version of ARC FACILITIES is the latest version. If not, then the user will have to download the latest version from the appropriate location. Otherwise, the user will not be able to log in to his/her account.
Security Questions & Answers
After the account admin sets the complex password and/or PIN number, then logs into his/her account, the application will display a message asking the user to set security questions.
This message is shown in the screenshot below,
- Click on the [Update security information] button to navigate to the Edit Profile screen in order to set the security questions.
Screenshot displaying the Edit Profile screen with security questions [highlighted in the screenshot below]:
The account users can select 1, 2, or 3 security questions from a pool of 15 questions and enter the answers to the selected questions in free text.
Users can set a maximum of three (3) security questions; enter answers to the 3 selected questions in free text. Users can set a minimum of one question & a maximum of three questions or can choose to not set up any question at all. Security questions (if set) need to be answered in case of wrong entry of complex password or wrong entry of a PIN.
Note: The security questions will appear only after complex password and/or two-step verification is enabled.
Selecting security questions & entering answers:
Each user can select a minimum of one question and a maximum of three questions and enter the answers of those selected questions. They can select from a list of 15 possible questions and enter their answers in free text.
I. In what city or town did you meet your spouse/partner?
II. What is the name of your first boyfriend/girlfriend?
III. In what city, did you have your first kiss?
IV. What was the make/model of your first car?
V. What street did you grow up on?
VI. Which phone number do you most remember from your childhood?
VII. What was your favorite place to visit as a child?
VIII. Who was your favorite actor, musician, or artist as a child?
IX. What was the name of your first stuffed animal/doll/action figure?
X. What is the name of your first-grade teacher?
XI. In what city or town did your mother and father meet?
XII. In what town or city was your first full-time job?
XIII. Who was your childhood hero?
XIV. What was your favorite sport in high school?
XV. What was the name of the company where you had your first job?
2. After selecting the questions and entering appropriate answers click on the [Save] button to enable the security questions.
If a user selects the same security question more than once, then the following error message is displayed “Security questions cannot be the same.” and the application will not allow the saving of the security questions along with answers. After setting up the questions user can continue with normal work in the application.
Setting up two-step verification
The account admin can opt for two-step security verification for advanced and upgraded security. Admin users can tick the checkbox 'Require two-step authentication' under the Password Settings tab [highlighted in the screenshot below] and then click on the [Save] button to initiate & enable the two-step verification process.
Scenario 1: Complex password already enabled before enabling two-step verification
As the complex password is already enabled before enabling two-step verification user has to only set up a new PIN number.
After the admin user enables the two-step verification authentication, the application will display a message box asking the user to set up a new PIN number. The notification will be “Two-Step Verification has been successfully activated. Please assign your Personal Identification Number (PIN) now.”
Screenshot displaying the message:
1. Click on the “Set PIN” button to configure a new PIN number. The user will be logged out of the application and navigated to the Update PIN screen.
Screenshot displaying the Update PIN screen:
2. Enter the current complex password (as this password in previously set beforehand), then enter the new PIN number twice (for confirmation)
Note: The PIN length should be 4 digits only.
Error scenarios:
If a user enters a different new and confirmed PIN number then the following message is displayed “Your new PIN and confirmation do not match. Please try again.”
If the user enters the wrong current password, the application displays the message “Entered password is invalid”
3. After the user updates the PIN and clicks the [Submit] button he/she will be redirected to the ‘Log in’ screen.
4. On the log-in screen user will first have to enter his/her user name or email and the complex password to proceed to the PIN verification screen.
5. On the Verify your identity screen, the user will have to enter the PIN number to finally access the account (i.e. land on the Common login screen)
Tip: Accessing the account after enabling two-step verification is given here.
Scenario 2: Complex password not enabled before enabling two-step verification
As soon as a user selects the two-step verification process, the complex password checkbox becomes automatically selected/enabled. The user will not be able to disable the complex password checkbox after enabling two-step verification.
The two-step verification process involves setting the complex password and then setting a PIN number.
1. After the admin user enables the two-step verification authentication and click on the [Save] button, the application will display a message box asking the user to reset the current password.
The notification will be “Password policy has been successfully updated. Please reset your password now.”
Screenshot displaying the message:
2. Click on the “Reset Password” button to reset your current password into a complex password. The user will be logged out of the application and navigated to the Update Password screen.
Screenshot displaying update password screen:
3. Account admin will have to enter the old password and then enter the new password twice (for confirmation) based on the complex password policy.
4. After updating the new password, click on the [Submit] button to move to the Update PIN screen.
Screenshot displaying the Update PIN screen:
5. On this screen, enter & re-enter a new PIN (for confirmation)
Note: The PIN length should be 4 digits only.
After setting the new complex password & PIN, the admin user is automatically logged out of the application. Hence, the admin user will have to log in again to access the application by entering the new complex password and new PIN number.
6. After the user updates the PIN and clicks the [Submit] button he/she will be redirected to the ‘Log in’ screen.
7. On the log-in screen user will first have to enter his/her user name or email and the complex password to proceed to the PIN verification screen.
8. On the Verify your identity screen, the user will have to enter the PIN number to finally access the account (i.e. land on the Common login screen)
Tip: Accessing the account after enabling two-step verification is given here.
User logging in after enabling two-step verification
User will reach the log-in screen after updating the new complex password & new PIN number.
1. User will have to enter log-in credentials (username & complex password) on the log-in screen (sign-in screen) to access the application after enabling two-step verification.
Screenshot displaying the log-in screen:
After successful entry of the username & new complex password, the application redirects the user to the Verify your identity screen which is the PIN entry screen.
Screenshot displaying the PIN entry screen:
2. Enter the new PIN Number
3. After successfully entering the PIN number, the user can choose to select the checkbox “Trust this computer when I sign in” under the Security Preference heading
User trusts this computer:
- If a user selects the checkbox “Trust this computer when I sign in”, then the user will only have to enter user ID & complex password to access the application during login from next time onwards, no PIN number entry is required (even if two-step authentication is enabled)
Note - If a user is logging in to the application with a different browser on the same computer then the application will re-confirm security preference.
User doesn’t trust this computer:
- If a user does not select the checkbox “Trust this computer when I sign in”, then the user has to enter the PIN number after entering the log-in credentials (user ID & complex password) to access the account. By default, this checkbox will appear not selected.
4. In the end, click on the [Submit] button to access the application.
The session ended for logged in users after two-step verification enablement
Any employee user active on the account for which the account admin has changed the password will be logged out (session ended) of his/her account. The active account user will be logged out of his/her account (when the admin user enables two-step verification & complex password) even when he/she is accessing the account through the device (phone or tablet) or sync application.
Account (employee) user logging in after account admin has enabled two-step verification
When an account (employee) user logs in for the first time after two-step verification is enabled, he/she will first enter his/her account log-in credentials. As the account admin has already changed the account password and set a new PIN, the employee user will receive a message stating that “Your account password has been reset & new account PIN set by the account admin, so please update your account password & PIN”.
The employee user will now be redirected to the Update Password screen. After setting the new password, the user is navigated to the Update PIN screen. After setting the new password & PIN, the user will be re-directed to the log-in screen again. Hence, after entering the new complex password & new PIN user will be able to access his/her account.
After entering the application user will receive a message to select and answer security questions. This alert will come if the complex password is enabled but security questions are not set. Users will have to set the security questions and provide answers to those questions from the ‘My Profile’ screen and then continue working on the application.
Wrong password entry (in case two-step verification is enabled):
1. User opens the log-in screen of the application, enters the email ID, and then enters the wrong password
Screenshot displaying the first invalid login attempt:
2. User enters the wrong password for three (3) times
After the third attempt i.e. on the fourth & fifth attempt, the application displays a random security question out of the 3 security questions set from My Profile screen (the security questions will appear only if the security questions are selected & answered by the account admin in the My Profile screen).
The application displays the number of invalid login attempts made and the number of valid attempts left on the message at the top of the screen.
Note:
- The total number of log-in attempts is set to 5, after the expiration of the log-in attempt, the account will be locked. The security questions appear on the fourth & fifth attempts.
- The counting of invalid login will appear & account lock will happen only if a strong password policy and/or two-step verification is enabled.
Screenshot displaying the security question on the log-in screen on the penultimate (fourth) attempt:
Now, the user will have to enter the correct password as well as the correct answer to the security question in order to proceed further.
If the account does not have security questions configured, then the application will not display any security questions and the user will be allowed to attempt the correct password entry five times.
3. User enters the wrong password or wrong answer to the security question or both wrong password & answer for two more times after the third attempt (i.e. a total of 5 times wrong password entry)
The application displays a message - “Your account has been locked due to too many invalid login attempts. A reset password link has been sent to the registered email. Please follow the email instructions to unlock and access your account.”
The screenshot below displays the locked account message:
Note: The account lock will remain for a few hours and only after the elapsed period user can log in to his/her account. The lock automatically expires after a certain period if in the meantime user does not choose to reset password from the email sent.
An email will be sent to the user registered email along with a reset password link.
Screenshot displaying the ‘reset password’ link in the email:
4. User opens the email and clicks the Reset Password link in the email
5. After clicking the link, the application navigates the user to a screen where he/she will have to enter a new password twice (for confirmation) and provide an answer to a randomly selected question. The randomly selected question is one out of the three questions selected and answers entered by the user in the ‘My profile’ screen.
Screenshot displaying the update password screen with security question:
If a user enters a wrong answer to the security question, then the following message is displayed "Answer to your security question is incorrect. Please try again". This is shown below,
After a user successfully answers the question, enters a new password (twice), and then clicks on the [Save password] button, he/she will be redirected to the log-in screen.
6. User enters the log-in credentials (correct complex password entered this time)
The application redirects the user to the PIN code entering screen.
7. User enters the correct PIN code
User successfully enters the application.
Note: The security question appears only if the user has configured or set the security questions & associated answers from the ‘My Profile’ screen.
Wrong PIN code entry (in case two-step verification is enabled):
1. User opens the log-in screen of the application
2. User enters the user name or email ID and the correct complex password
After a user successfully enters the log-in credentials he/she will be redirected to the PIN code entering screen.
3. User enters the incorrect PIN on the first attempt
Screenshot displaying the first invalid login attempt:
4. User enters the wrong PIN code for three consecutive times (thrice)
After the third attempt i.e. on the fourth & fifth attempt, the application displays a random security question out of the 3 security questions set from My Profile screen (the security questions will appear only if the security questions are selected & answered by the account admin in the My Profile screen). The application also displays a message with a number of invalid login attempts made and the number of valid attempts left at the top of the screen.
Note: Total number of PIN entry attempts is set to 5, after the expiration of PIN entry attempts, the account will be locked. The security questions appear after the third attempt.
Screenshot displaying the security question on the PIN entering screen on the penultimate (fourth) attempt:
User enters the wrong PIN code or wrong answer to the security question or both wrong answer and wrong PIN for two more times after the third attempt.
The application displays a message - “Your account is locked due to invalid login attempt. A reset PIN login link has been sent to your email. Please follow the email instruction to unlock your account.”
Screenshot displaying the message:
Note: The account lock will remain for a few hours and only after the elapsed period can the user log in to his/her account. The lock automatically expires after a certain period if in the meantime user does not choose to RESET PIN from the email sent.
An email will be sent to the user registered email along with the RESET PIN link.
Screenshot displaying the ‘Reset PIN’ link in the email:
5. User opens the email and clicks the RESET PIN button in the email.
Application navigates the user to a screen where he/she will have to enter the complex password the new PIN twice (for confirmation).
Screenshot displaying the ‘Reset PIN’ screen:
6. User enters the current complex password, new PIN twice (for confirmation). If the user enters the wrong password the following message is displayed “Entered password is invalid”
After resetting the PIN code, the user will be redirected to the log-in screen.
7. User enters the log-in credentials (username or email and complex password)
The application redirects the user to the PIN code entering screen.
8. User enters the correct PIN code
User successfully enters the application.
Info:
- After successfully logging in to the account or resetting the password/updating the password invalid attempt count will be reset to zero.
- In case of a two-step verification enabled account, the token will be valid only if the two-step verification process is completed.
- The security question appears only if the user has configured or set the security questions & associated answers from the ‘My Profile’ screen.
User forgets PIN
User can reset PIN if he/she forgets PIN no. from the PIN entering screen.
- Click the “Forgot PIN?” link on the PIN entering screen.
A message is displayed at the top of the screen which states “An email with a link to reset your PIN has been sent to you”.
Screenshot displaying the message at the top of the screen:
- Open the mailbox and view the Reset PIN Request email
Screenshot displaying the PIN reset email:
- Click the Reset PIN button to navigate to the Reset PIN screen.
Screenshot displaying the Reset PIN screen:
From the Reset PIN screen, the user will have to enter the complex password first, then set a new PIN number, and then proceed to access the application.
User trusts computer but PIN code locked from device
In a scenario, where a user has selected the security preference - “Trust this computer when I sign in” option then even if two-step authentication is enabled, the application will not ask for a PIN from the user. This security preference will work if the user logs in to his/her account from the same computer using the same browser.
But since this scenario is a system (device) & browser-specific, then if the user tries to log in to his/her account from another device, but fails to do so due to wrong entry of PIN code, then his account will be locked. A reset PIN mail will be sent to the user’s registered email ID.
Meanwhile, when the account is still in a locked state when a user tries to log in to his/her account from the web, after entering log-in credentials (username & password) a message will be displayed to the user “Your account has been locked, reset PIN mail send to your email ID, please reset PIN to access account”. Users will have to enter his/her email ID, click on the Reset PIN link, and navigate to the Reset PIN screen. On this screen user will have to enter the current password & enter a new PIN twice (for confirmation).
Screenshot displaying the PIN reset screen:
After resetting the PIN, the user can access the application.
Account lock from multiple devices
Invalid login attempt count will be considered globally, like, invalid attempt from the web, then invalid attempt from sync, and then from the device, in this case, the total invalid attempt will be 5, and account lock is initiated.
Account lock can happen if a user fails to log in to the same account for five times from multiple devices. For example,
- User tries to first log in to his/her account from website, enters the wrong password once. The application will count this as the first failed log-in attempt.
- User then tries to log in to the same account from the device three more times, again entering the wrong password thrice. The application will count this as three more failed log-in attempts.
- User tries to log in to his/her account from the sync app, and once again enters the wrong password. This application will count this as the fifth failed log-in attempt and consequently, the account will be locked.
- The application displays a message on the current device screen - “Your account is locked due to invalid login attempt. A reset password link has been sent to your email. Please follow the email instruction to unlock your account.”
- An email will be sent to the user registered email along with a reset password link.
Note: The account lock can happen for wrong entry of PIN code five times from multiple devices as well.
Password/PIN update from inside application
Users can update password or PIN from the My Profile screen.
- Click on the My Profile button (at the top navigation bar on the right side) and then click on the My Profile menu button on the opened menu.
Now, the My Profile screen will appear.
Screenshot displaying the My Profile screen:
Password change:
If the password change is required, then click on the 'Change password' link to expand the Login info section.
The highlighted portion in the screenshot below displays the Change password section:
- Enter the current password and then the new password (twice) and then click [Update] button to save the new password.
PIN change:
If PIN change is required, then click on the 'Change pin' link to open the Change pin pop-up box.
Note: The 'Change pin' link appears only if two-step verification is enabled.
The screenshot below displays the Change pin pop-up box:
- Enter the current password and then the new PIN (twice for confirmation) and then click on the [Save changes] button to save the new PIN.
Any new password or PIN entry should be as per the complex password policy; otherwise, the new password/PIN will not be saved. This new password or PIN will override the existing complex password or PIN.