Security Settings and System Access Controls
This article will cover the following:
- Security Settings
- System Access
The security settings section houses all portal's security settings. We recommend you review your settings carefully as this impacts access to your system and can help to keep your system locked down to your security level preferences.
Please note that in order to view the "System Access" tab you will need to enable Multi-factor authentication for your Admin Portal.
There are up to 6 sections:
- All Portal Settings
- Admin Portal
- Affiliate Portal
- Buyer Portal
- Advertiser Portal
- Custom Queue Portal
All Portal Settings
This is where you can configure the max failed login attempts Max Failed Login Attempts: This is the number of attempts a user will have to login before being locked out and required to change their password for all portal logins including Admin, Affiliate, Advertiser and Buyer Portals.
The Admin portal is the only portal with the Enable Multi-Factor Authentication setting. When enabled, employees will have to provide a code from their mobile device in order to log in.
The settings below are available for all portals. Each portal has its own section to allow users to control these things individually.
Portal Session Timeout: When a user has been inactive for the set amount of minutes, they will be logged out and forced to log back in with their credentials.
Password Strength: You can set the strength of passwords for users who have access to the Admin Portal
Weak: 5 Characters, cannot be user’s first or last name, cannot be the user’s email address, cannot be “password”, cannot be “12345” or “54321”
Strong: in addition to the restrictions for weak: Must be 9 characters, must contain 1 number, 1 lower and 1 upper case letter
Password Usage History Restriction: Password cannot be the same as one of the last X number of passwords used
Password Expiration Policy*: Number of days a user has before being forced to update and change their password
Force Password Reset: This will log everyone out of the Admin portal and force them to create a new password in order to log back into CAKE
The System Access sub-tab houses all features related to accessing CAKE. This tab is only accessible to users who have enabled the Multi-Factor Authentication Enabled feature. In order to access this tab, you must provide a username password and an MFA code.
IP Whitelist enables users to restrict which IP addresses can access each portal. Users can specify any of the following portals:
- All Admin APIs
- All Portals
To add a Whitelist follow the steps below:
- Click the Add Button
- Enter the IP Start
- Enter the IP End
- Select the portal
- Click Update to save the changes
** Please note, do not lock yourself out of your portal by whitelisting an IP for your Admin or All Portals that you are currently not accessing your CAKE instance from.
API keys are used to authenticate API requests. API Keys should be treated like passwords. You can access your Admin and Affiliate API keys via the System Access sub-tab. Admin API keys are aliased so the key is not displayed in the UI, to access API keys follow the steps below:
- Click on the System Access sub-tab
- Click the link "Show"
If you want to alias your API key:
- Double click the API Key row to make it editable
- Update the Alias with a friendly name you will remember
- Click Update to save changes
New Device/IP Login Alert
In order to ensure your secure login into the CAKE Admin portal, CAKE will now have a notification anytime the last login device or location changes upon a login from a different device or location.