Password settings
A series of settings are configurable for the built-in authentication method:
PATCH /api/v2/config/auth{ "maxFailedLoginAttempts": 5, "failedLoginAttemptsTTL": 300, "userCacheTTL": 500, "maxUserSessionDuration": 2592000, "passwordRegex": "^[A-Za-z0-9!@#$%^&*()_+\\-=\\[\\]{};:<>,.?/|~`]+$", "passwordMonthsValidity": 3}Admin UI Overview
Section titled “Admin UI Overview”These settings can also be set in the Admin UI under Global configurations/Authentication and define the security boundaries and operational rules governing built-in user authentication, specifically designed to mitigate unauthorized access attempts, prevent dictionary attacks, and maintain strong credential hygiene. Configuring these policies is mandatory for systems requiring high levels of compliance (e.g., HIPAA, PCI DSS).
LDAP and SAML security settings are defined in the respective providers and not in MetalSoft.
I. Session Management & Performance
Section titled “I. Session Management & Performance”These settings control the lifespan of user sessions and how often system data is refreshed, balancing security with usability.
| Setting | Value | Description | Impact |
|---|---|---|---|
| Maximum user session duration | (Time Input in seconds) | The number of seconds a user’s session can last before the user is automatically logged-out. Note that this is irrespective of activity. | Impact: Provides a maximum duration before a user is logged out automatically. |
| Session Inactivity Timeout | (Time Input in seconds) | Sets the maximum duration a user is allowed to be logged into the system without performing any action (idle time) before their session is automatically invalidated and they are forced to re-authenticate. | Impact: A key measure of security compliance. Set this to match or exceed your organization’s corporate policy. |
II. Login Attempt Management (Anti-Brute Force)
Section titled “II. Login Attempt Management (Anti-Brute Force)”These policies govern the system’s response when an account is subjected to repeated, incorrect login attempts.
| Setting | Value | Description | Impact |
|---|---|---|---|
| Maximum Failed Login Attempts | (Number Input) | Total number of times a user can attempt to log in using an incorrect password before the system automatically triggers a lockout state for that account. | Impact: This is the primary defense layer against brute-force attacks. |
| Lock-out Period for Failed Passwords | (Time Input in seconds) | The number of seconds the user has to wait before the password can be retried. | Impact: Provides a “cool-down” mechanism for suspicious activity, slowing down automated attackers. |
III. Password Lifecycle Policies (Credential Hygiene)
Section titled “III. Password Lifecycle Policies (Credential Hygiene)”These settings govern the mandatory changes and constraints placed upon user passwords over time, ensuring that credentials remain strong and resistant to compromise.
| Setting | Value | Description | Impact |
|---|---|---|---|
| Password Reuse Lockout Duration | (Time Input in seconds) | The amount of time a previously used password cannot be repeated. | Impact: Enforces continuous complexity and prevents users or attackers from falling back to simple, old, or compromised credentials. |
| Maximum Password Validity | (Time Input in seconds) | The maximum period (time) an active user’s password can remain unchanged before the system automatically forces a mandatory password reset upon next login. | Impact: Crucial for mitigating risks associated with leaked or compromised credentials. |