This portion of the document describes the strong security validations implemented for safeguarding user information. The security validations are concerned with enforcing users to set up complex passwords and requiring users to pass through a two-step authentication procedure.  This feature will be available in both the modules of SKYSITE (SKYSITE Projects/F&A). 


A new section called Password Settings is incorporated under the Password Settings tab (Profile > Settings > Password Settings) in SKYSITE Projects.


Account admin will get option to set password policy in Account settings tab for all users in that account.


Password policy screen explanation


The admin user will be able to set up the password policy through the “Password Settings” tab under the “Settings” screen. This is shown in the screenshot below,


The password settings section is shown in the screenshot below,


Password expiration days selection


1.       Password expiration selection: Admin user can select the number of the days after which the password to access the account will expire. Account user will get warning message to reset password 10 days prior to expiration after login.


Password expiration warning message:


“Your password will expire in 10 days. Click here to Reset Now.”


Setting up complex password


Account admin can opt for creation of complex password for an account. When account admin selects this option, all users on the account must have a password that meets the minimum criteria.


Complex password is a pre-define set of word/special char/ number which is defined in SKYSITE, it will be global for all users of the account.    


Complex password consists of following minimum criteria: 


a)       8 or more characters in length


b)      At least one UPPER letter must exist


c)       At least one LOWER case letter must exist


d)      At least one number (1234567890) or special character (!@#$%^&*) must exist


Complex password activation

 

Account admin can opt for complex password under Password settings tab on the Settings screen.


Screenshot highlighting the complex password setup checkbox:


1.       Once Account admin selects the “Require Complex Password” checkbox and clicks [Save] button, the application will display a message box asking the user to reset the current password. The notification will be “Password policy has been successfully updated. Please reset your password now.”  


Screenshot displaying the message:


2.       Click “Reset Password button to reset your current password into a complex password. User will be logged out of the application and navigated to Update Password screen.


Screenshot displaying update password screen:

3.       Account admin will have to enter the old password and then enter the new password twice (for confirmation) based on the complex password policy.


Screenshot displaying the application prompt to enter the new password according to complex password policy:


If he/she fails to enter the new password as per the complex password policy then he/she will not be able to update/save the new password. He/she will have to mandatorily reset the password.


If user does not enter any new password and by mistake clicks the [Submit] button, then the following message is displayed “Required field(s) cannot be empty”.


Screenshot displaying the message:


If user enters a different new and confirmed password and clicks the [Submit] button, then the following message is displayed “Your new password and confirmation do not match. Please try again.”


Screenshot displaying the message:


4.       After user updates the password and clicks the [Submit] button he/she will be redirected to the ‘Log in’ screen.


5.       On the log-in screen user will have to enter his/her username or email and the new complex password to access his/her account.


Note: If user has updated the password for 5 times previously and on the 6th time enters the new updated password as one of the previously user password then the following message is displayed “Cannot use recent five passwords. Please try again.”


Screenshot displaying the message:


Session ended for logged in users after complex password enablement


If password policy is modified by admin then existing users who are already logged in to the same account, will be logged out of their account (session ended). When next time these users try to log-in, application will prompt the users to update their password as per the new complex password policy. This is applicable for all active session users – employee users logged in to the same account through device, sync, web & outlook.


Account (employee) user logging in after account admin has enabled complex password


The account users will first reach the log-in screen, where after entering the current password application will re-direct the users to the update password screen and will display a message “Your account’s security settings have been updated by your admin. Your password must now be updated.”  Hence, these users will have to update their password as per the new complex password policy.


Screenshot displaying update password screen:

Note: After the account becomes password policy enabled-account, user must make sure all device/sync/outlook plug-in version of SKYSITE is the latest version. If not, then user will have to download the latest version from the appropriate location. Otherwise, user will not be able to login to his/her account.


Security Questions & Answers


After user sets the complex password and/or PIN number, then logs into his accounts and enters the ‘Projects’ module, the application will display a message asking the user to set security questions.

This message is shown in the screenshot below,


1.       Click [Update security information] button to navigate to the My Profile screen in order to set the security questions.


Screenshot displaying the My Profile screen:


2.       Click [Edit] button [highlighted in the above screen] on the My Profile screen to reach the security question set up section.


The My Profile screen now appears with the security questions section.


Screenshot displaying the security questions [highlighted in the screen below] on the My Profile screen:


The account users can select 1, 2 or 3 security questions from a pool of 15 questions and enter the answers of the selected questions in free text.


User can set a maximum of three (3) security questions; enter answers to the 3 selected questions in free text from the My Profile screen in both SKYSITE Projects. User can set a minimum of one question & a maximum of three questions or can choose to not set up any question at all. Security questions (if set) need to be answered in case of wrong entry of complex password or wrong entry of PIN.


More details on the usage of security questions are given here


Note: The security questions will appear only after complex password and/or two-step verification is enabled.


Selecting security questions & entering answers:


Each user can select a minimum of one question and a maximum of three questions and enter the answers of those selected questions. They can select from a list of 15 possible questions and enter their answers in free text.


         I.            In what city or town did you meet your spouse/partner?

        II.            What is the name of your first boyfriend/girlfriend?

       III.            In what city, did you have your first kiss?

       IV.            What was the make/model of your first car?

       V.            What street did you grow up on?

      VI.            Which phone number do you most remember from your childhood?

     VII.            What was your favorite place to visit as a child?

    VIII.            Who was your favorite actor, musician, or artist as a child?

      IX.            What was the name of your first stuffed animal/doll/action figure?

       X.            What is the name of your first-grade teacher?

      XI.            In what city or town did your mother and father meet?

     XII.            In what town or city was your first full time job?

    XIII.            Who was your childhood hero?

    XIV.            What was your favorite sport in high school?

     XV.            What was the name of the company where you had your first job?


Screenshot displaying couple of selected security questions with entered answers:


3.       After selecting the questions and entering appropriate answers click on [Save] button to enable the security questions.


If user selects the same security question more than once, then the following error message is displayed “Security questions cannot be the same.” and the application will not allow the application to save the security questions along with answers. This message is shown in the screenshot below,


Setting up two-step verification


The account admin can opt for two step security verification for advanced and upgraded security. Admin user can tick the checkbox [highlighted in screenshot below] to initiate & enable the two-step verification process.


Scenario 1: Complex password already enabled before enabling two-step verification


As complex password is already enabled before enabling two-step verification user has to only set up a new PIN number.


After admin user enables the two-step verification authentication, the application will display a message box asking the user to set up new PIN number. The notification will be Two-Step Verification has been successfully activated. Please assign your Personal Identification Number (PIN) now.


Screenshot displaying the message:


1.       Click “Set PIN button to configure a new PIN number. User will be logged out of the application and navigated to Update PIN screen.


Screenshot displaying the Update PIN screen:


2.       Enter the current complex password (as this password in previously set beforehand), then enter the new PIN number twice (for confirmation)


If user enters a different new and confirmed PIN number then the following message is displayed “Your new PIN and confirmation do not match. Please try again.”


Screenshot displaying the message:


If user enters the wrong current password, the application displays the message “Entered password in invalid”


3.       After user updates the PIN and clicks the [Submit] button he/she will be redirected to the ‘Log in’ screen.

4.       On the log-in screen user will first have to enter his/her username or email and the complex password to proceed to the PIN verification screen.

5.       On the Verify your identity screen, user will have to enter the PIN number to finally access the account (i.e. land on the Common login screen)


Tip: Accessing the account after enabling two-step verification is given here.


Scenario 2: Complex password not enabled before enabling two-step verification


As soon as user selects the two-step verification process, the complex password checkbox becomes automatically selected/enabled. User will not be able to disable the complex password checkbox after enabling two-step 

verification.


The two-step verification process involves setting the complex password and then setting a PIN number.


1.       After admin user enables the two-step verification authentication and clicks [Save] button, the application will display a message box asking the user to reset the current password. The notification will be “Password policy has been successfully updated. Please reset your password now.”  


Screenshot displaying the message:


2.       Click “Reset Password button to reset your current password into a complex password. User will be logged out of the application and navigated to Update Password screen.


Screenshot displaying update password screen:


3.       Account admin will have to enter the old password and then enter the new password twice (for confirmation) based on the complex password policy.

4.       After updating the new password, click on [Submit] button to move to the Update PIN screen.


Screenshot displaying the Update PIN screen:


5.       On this screen, enter & re-enter a new PIN (for confirmation)


Note: The PIN length should be 4 digits only.


After setting the new complex password & PIN, admin user is automatically logged out of the application. Hence, the admin user will have to log-in again to access the application by entering the new complex password and new PIN number.


3.       After user updates the PIN and clicks the [Submit] button he/she will be redirected to the ‘Log in’ screen.

4.       On the log-in screen user will first have to enter his/her username or email and the complex password to proceed to the PIN verification screen.

5.       On the Verify your identity screen, user will have to enter the PIN number to finally access the account (i.e. land on the Common login screen)


Tip: Accessing the account after enabling two-step verification is given here.


User logging in after enabling two-step verification


User will reach the log-in screen after updating the new complex password & new PIN number.


1.       User will have to enter log-in credentials (username & complex password) on the log-in screen (sign in screen) to access the application after enabling two-step verification.


Screenshot displaying the log-in screen:


After successful entry of the username & new complex password, application redirects the user to the Verify your identity screen which is the PIN entry screen.


Screenshot displaying the PIN entry screen:


2.       Enter the new PIN Number

3.       After successfully entering the PIN number, user can choose to select the checkbox “Trust this computer when I sign in” under Security Preference heading


User trusts this computer:

  • If user selects the checkbox “Trust this computer when I sign in”, then user will only have to enter user ID & complex password to access the application during login from next time onwards, no PIN number entry is required (even if two-step authentication is enabled)

Note - If user is logging in to the application with different system OR different browser in the same computer then application will re-confirm security preference.


User doesn’t trust this computer:

  • If user does not select the checkbox “Trust this computer when I sign in”, then user has to enter the PIN number after entering the log-in credentials (user ID & complex password) to access the account. By default, this checkbox will appear not selected.


4.       In the end, click on [Submit] button to access the application


Session ended for logged in users after two-step verification enablement


Any account user active on the account for which the account admin has changed the password will be logged out (session ended) of his/her account. The active account user will be logged out of his/her account (when admin user enables two-step verification & complex password) even when he/she is accessing the account through device (phone or tablet) or sync application.


Account (employee) user logging in after account admin has enabled two-step verification


When account (employee) user logs in for the first time after two-step verification in enabled, he/she will first enter his/her account log-in credentials. As account admin has already changed the account password and set a new PIN, employee user will receive a message stating that “Your account password has been reset & new account PIN set by the account admin, so please update your account password & PIN”.


The employee user will now be redirected to the Update Password screen. After setting the new password, user is navigated to Update PIN screen. After setting the new password & PIN, user will be re-directed to the log-in screen again. Hence, after entering the new complex password & new PIN user will be able to access his/her account.


After entering the application user will receive a message to select and answer security questions. This alert will come if complex password is enabled but security questions are not set. This message is shown in the screenshot below,


User will have to set the security questions and provide answers to those questions from the ‘My Profile’ screen and then continue working on the application.

Wrong password entry (in case two-step verification is enabled):


1.       User opens the log-in screen of the application

2.       User enters the user name or email ID and then enters the wrong password for three (3) times


Screenshot displaying the first invalid login attempt:


After the third attempt i.e. on the fourth & fifth attempt, application displays a random security question out of the 3 security questions set from My Profile screen (the security questions will appear only if the security questions are selected & answered by the account admin in the My Profile screen).  


Application displays the number of invalid login attempts made and the number valid attempts left on the message at the top of the screen.


Note:

  • Total number of log-in attempts is set to 5, after expiration of log-in attempt, the account will be locked. The security questions appear on the fourth & fifth attempt.

  • The counting of invalid login will appear & account lock will happen only if strong password policy and/or two step verification is enabled.


Screenshot displaying the security question on the log-in screen on the penultimate (forth) attempt:


Now, user will have to enter the correct password as well as the correct answer to the security question in order to proceed further.

If the account does not have security questions configured, then the application will not display any security question and user will is allowed to attempt the correct password entry for five times.


3.       User enters the wrong password or wrong answer to the security question or both password & answer wrong for two more times after the third attempt


Application displays a message - Your account has been locked due to too many invalid login attempts. A reset password link has been sent to the registered email. Please follow the email instructions to unlock and access your account.”


Screenshot displaying the message:


Note: The account lock will remain for few hours and only after the elapsed period can user log-in to his/her account. The lock automatically expires after a certain period if in the meantime user does not choose to reset password from the email send. 


An email will be send to user registered email along with reset password link.


4.       User opens the email and clicks the password retrieval link in the email


Screenshot displaying the ‘reset password’ link in email: 


5.       After clicking the link, application navigates user to a screen where he/she will have enter a new password twice (for confirmation) and provide answer to a randomly selected question. The randomly selected question is one out of the three questions selected and answers entered by the user in the ‘My profile’ screen.


Screenshot displaying the update password screen with security question:


After user successfully answers the question, enters a new password (twice) and then clicks [Save password] button, he/she will be redirected to the log-in screen.


6.       User enters the log-in credentials (correct complex password entered this time)

Application redirects the user to the PIN code entering screen.


7.       User enters the correct PIN code

User successfully enters the application.


Note: The security question appears only if user has configured or set the security questions & associated answers from the ‘My Profile’ screen.


Wrong PIN code entry (in case two-step verification is enabled):


1.       User opens the log-in screen of the application


2.       User enters the user name or email ID and the correct complex password

After user successfully enters the log-in credentials he/she will be redirected to the PIN code entering screen.


3.       User enters the wrong PIN code for three consecutive times (thrice)


Screenshot displaying the first invalid login attempt:


After the third attempt i.e. on the fourth & fifth attempt, application displays a random security question out of the 3 security questions set from My Profile screen (the security questions will appear only if the security questions are selected & answered by the account admin in the My Profile screen).


Application also displays a message with number of invalid login attempts made and the number valid attempts left at the top of the screen.


Note: Total number of PIN entry attempts is set to 5, after expiration of PIN entry attempts, the account will be locked. The security questions appear after the third attempt.


Screenshot displaying the security question on the PIN entering screen on the penultimate (forth) attempt:


4.       User enters the wrong PIN code or wrong answer to the security question or both wrong answer and wrong PIN for two more times after the third attempt.


Application displays a message - “Your account is locked due to invalid login attempt. A reset PIN login link has been sent to your email. Please follow the email instruction to unlock your account.”


Screenshot displaying the message:

Note: The account lock will remain for few hours and only after the elapsed period can user log-in to his/her account. The lock automatically expires after a certain period if in the meantime user does not choose to reset PIN from the email send. 


An email will be send to user registered email along with reset PIN link.


Screenshot displaying the ‘Reset PIN’ link in email:            


5.       User opens the email and clicks the PIN code retrieval link in the email


Application navigates user to a screen where he/she will have to enter the complex password the new PIN twice (for confirmation).


Screenshot displaying the ‘Reset PIN’ screen:


6.       User enters the current complex password, new PIN twice (for confirmation). If user enters the wrong password the following message is displayed “Entered password in invalid”

After resetting the PIN code, user will be redirected to the log-in screen.


7.       User enters the log-in credentials (username or email and complex password)

Application redirects the user to the PIN code entering screen.


8.       User enters the correct PIN code

User successfully enters the application.


Info:

  • After successfully logging in to account or resetting password/updating password invalid attempt count will be reset to zero.

  • In case of two-step verification enabled account, token will be valid only if two-step verification process is completed. 

  • The security question appears only if user has configured or set the security questions & associated answers from the ‘My Profile’ screen.


User forgets PIN


User can reset PIN if he/she forgets PIN no. from the PIN entering screen.

  • Click the “Forgot PIN?” link on the PIN entering screen.


Screenshot displaying the “Forgot PIN” link on the PIN entering screen:


A message is displayed at the top of the screen which states “An email with a link to reset your PIN has been sent to you”.


Screenshot displaying the message at the top of the screen:


  • Open the mail box and view the Reset PIN Request email


Screenshot displaying the PIN reset email:


  • Click the reset PIN link to navigate to the Reset PIN screen.


Screenshot displaying the Reset PIN screen:


From the Reset PIN screen, user will have to enter the complex password first, then set a new PIN number and then proceed to access the application.


User trusts computer but PIN code locked from device


In a scenario, where user has selected the security preference - “Trust this computer when I sign in” option then even if two-step authentication is enabled, the application will not ask for PIN from the user. This security preference will work if user logs in to his/her account from the same computer using the same browser.


But since this scenario is system (device) & browser specific, then if user tries to log in to his/her account from another device, but fails to do so due to wrong entry of PIN code, then his account will be locked. A reset PIN mail will be send to user’s registered email ID.


Meanwhile, when the account is still is locked state, when user tries to log-in to his/her account from web, the after entering log-in credentials (username & password) a message will be displayed to the user “Your account has been locked, reset PIN mail send to your email ID, please reset PIN to access account”. User will have to enter his/her email ID, click on the reset PIN link and navigate to the Reset PIN screen. On this screen user will have to enter the current password & enter a new PIN twice (for confirmation).


Screenshot displaying the security question and PIN reset screen:


After resetting the PIN, user can access the application.


Account lock from multiple device


Invalid login attempt count will be consider globally, like, invalid attempt from web, then invalid attempt from sync and then from device, in this case total invalid attempt will be 5 and account lock is initiated.


Account lock can happen if user fails to log-in to the same account for five times from multiple device. For example,


1.       User tries to first log-in to his/her account from website, enters wrong password once. The application will count this as the first failed log-in attempt.

2.       User then tries to log-in to the same account from device three more times, again enters wrong password thrice. The application will count this as three more failed log-in attempt.

3.       User tries to log-in to his/her account from sync app, and once again enters wrong password. This application will count this as the fifth failed log-in attempt and consequently the account will be locked.

4.       Application displays a message on the current device screen - “Your account is locked due to invalid login attempt. A reset password link has been sent to your email. Please follow the email instruction to unlock your account.”

5.        An email will be send to user registered email along with reset password link.


Note: The account lock can happen for wrong entry of PIN code five times from multiple devices as well.


Password/PIN update from inside application


User can update password or PIN from the My Profile screen.

  • Click Profile button and then click My profile button on the opened up menu


This is shown below,


Now, the My Profile screen will appear.


Screenshot displaying the My Profile screen:

Password change:

  • If password change is required then click [Change password] button [highlighted in the screenshot above] to open the Change password pop-up box.


Screenshot below displays the Change password pop-up box:


  • Enter the current password and then the new password (twice) and then click [Save] button to save the new password.


PIN change:

  • If PIN change is required then click [Change pin] button to open the Change pin pop-up box.


Note: The [Change PIN] button appears only if two-step verification is enabled.


Screenshot below displays the Change pin pop-up box:


  • Enter the current password and then the new PIN (twice for confirmation) and then click [Save] button to save the new PIN.


Any new password or PIN entry should be as per the complex password policy; otherwise the new password will not be saved. This new password or PIN will be override the existing complex password or PIN.


New user activation – instruction with password format


Any current user of SKYSITE Projects can send project invitation to users who are not registered with SKYSITE. After the current user enters information for the new user in the SKYSITE Projects application, the new users will receive account activation email. New users may receive SKYSITE account activation mail for other reasons as well.


On clicking this link, application will redirect the user to the Account Activation screen. The screen will show instructions describing the format of password that he/she needs to enter (this is in case the complex password policy & two-step verification is enabled).


Screenshot displaying the Account Activation screen:


After entering confirming new password, user will be navigated to the Update PIN screen. This screen is shown below,


After setting the new PIN, the new user will be able to enter the SKYSITE Projects application.


Existing users receiving project share will directly land on the log-in screen through the project share link in the email. If the account of the user to whom the project has been shared is complex password & two-step verification enabled, then the user will have to enter complex password and PIN to accept the project share.


Screenshot displaying project invitation screen for an existing user:


Failing to enter complex password three times, will result into security questions appearance. Failing to answer the security question & password can result into account locking. The same scenario is application for PIN entering which comes after successful entering of complex password. 


Password policy implementation on custom log-in screen:


The password policy will work similarly on a custom log-in screen as it works on a normal log-in screen. The custom log-in screen appears if user has bought the log-in theme from the Account settings screen inside the application.


Screenshot displaying the Custom Log-in screen with password policy implementation: