Topic: Security settings for ConfTool Pro (password strength, session times and CAPTCHAs)

How access is controlled in our ConfTool installation? How are users authenticated and authorized to login? Can we define security settings?

As each ConfTool installation contains not only personal data, but usually also research results and other intellectual property and/or registration information, access to the system is controlled by valid user names and passwords. Depending on the data stored in your ConfTool system and the security requirements of your organization, you might have to set higher security standards for your installation. Therefore, ConfTool Pro offers separate settings for each installation like the “Password Settings for User Accounts”, “Session Timeout Settings” and “CAPTCHAs”.

To update your “Security Settings for User Registration and Management”, please go to:
Overview => Settings => Settings for User Registration => Security Settings for User Registration and Management

1) In the section Registration of New ConfTool Accounts you can define the security settings for creating a user account (see image 1).
  • Account Options for New ConfTool Users: Please define whether user name and password have to be entered manually ("Show user name and password fields (default)"), or user name and password can be generated by the system ("Optional password generator"). For more detailed information please consult the forum entry Requirements for user login passwords.
  • Secret Key and URL to Access New User Registration Page: You can define a string of numerals and characters (as "secret key" that will be used as part of a "secret URL") to allow people to create new user accounts even if user registration has been disabled in the backend.

2) To update the minimum security requirements for user accounts, please check the Password Settings for User Accounts (image 2):
  • Password Requirements: You can choose from three options ("low", "normal", "high") to define a minimum password strength in length and complexity.
  • Extra Mail for Password: You can define that an automatically generated password will be sent to users in an extra e-mail without the user name. If the user name and password are not generated by the system, but entered by the users themselves, no password e-mail will be sent.
  • Two-Factor Authentication: This serves as an additional authentication mechanism to secure access to the system. If enabled, users have to enter one-time passwords through a third party mobile app like Google Authenticator or generated by YubiKey devices provided by “Yubico”. Optionally, Two-Factor Authentication can be enabled for all users. Per default, it is enabled only for users with “Admin” status or for users with other administrative rights.

3) Session Timeout Settings let you determine how long specific user groups are connected with the installation before inactivity triggers an automatic log out (image 3). Please keep in mind that short timeouts increase security while configuration of the system (Admins), organization of the reviewing process (Chairs) or registration (all other users) all need enough time to be completed. Therefore, you can define Session Timeouts for some groups of users in particular.
As soon as the time limit has been exceeded without user interaction, users just have to login again (image 4). Please note: Two minutes before a user is logged out of the system, a warning message is displayed.

4) You can enable CAPTCHAs ("Completely Automated Public Turing test to tell Computers and Humans Apart") for your ConfTool Pro installation both for new user registrations and the login process (image 5). Please note that usually CAPTCHAs are not required because ConfTool Pro already uses several “invisible” mechanisms to avoid the automatic creation of user accounts. There is no considerable benefit in creating fake user accounts and the system always blocks brute force login attacks.

Two different types of CAPTCHAs are available:
  • SecurImage is a classic CAPTCHA that requires a sequence of a few letters to be entered into a text field. This mechanism is provided by ConfTool GmbH and runs on our servers only.
  • Google reCAPTCHA V2 requires the user to tick a checkbox or to select a couple of images. This service is considered very secure, but relies on the services of Google. Please note that some people (for example, people living in China) have limited access to Google and this service.

Both types are available for the login page. If enabled, the user has to complete the CAPTCHA to log in to the system (see images 6 and 7). Please note that after 10 unsuccessful login attempts users and their IP will be blocked for 10 minutes.

If CAPTCHA is enabled for the user registration process, each user has to enter letters correctly ("SecurImage", image 8 ) or tick the checkbox / select the right images ("Google reCAPTCHA V2", see image 9) to create a new user account.