We have implemented a new user authentication process that will roll out on December 13, 2021. This process includes new login screens that allow for two different means of authentication:
- Entering a username/password combination, or using a login link sent by email;
- Entering a second authentication factor, in the form of a temporary one-time code (OTP) generated by an authentication application installed on a mobile device or computer, along with a bank of recovery codes.
We have consolidated the management of security related options in a new Security section, located in the users and organizations profile.
For more information, please refer to the following documentation articles:
- Authentication process
- Multi-factor authentication - Definition, activation and use
- Creation of new user accounts
- Activation of a user account
- Password management
- Organization security policy
- Authentication for APIs
- Unblocking of user accounts and automatic expiration of inactive accounts
- Disabling multi-factor authentication (administrator)
Please also note the following changes:
- Users are now the only ones who can set, manage and reset their passwords
- The duration of user sessions has been shortened and sessions automatically expire after a period of inactivity
- Users can now manage their own authentication token for APIs
- The status of user account security options now appears in the user report
In the coming months, the activation of multi-factor authentication will become more and more strongly suggested, to finally become mandatory for all during the year 2022. In addition, user accounts that have not logged in to the platform will be considered inactive. They will therefore have to be reactivated by an administrator and follow the password reset procedure.
We remind you that good security practices are always strongly recommended:
- only one person per user account
- a strong and unique password
- regular password rotation
- use of a password manager
Identification is always done with the username, not the email address associated with the account.