Document toolboxDocument toolbox

Password

Introduction

This is the default authentication method for all users when you create a new domain. Users must enter their e-mail and password on the login screen to access their domains. 

Disabling password authentication

If you disable this authentication method, you must enable at least another one (SAML or OpenID). Be aware that disabling this method will not affect the domain owner, who will still be able to access with their email and password.

Password complexity requirements

Password details

  • The password must have at least 8 characters

  • The pool size must be at least 53 (Lower + upper + anything else). See more details about the pool size and allowed combinations below.

  • At least 66% of the characters in the password up to the password length should be unique.

  • The pool size of the password used in the entropy formula should be equal to or greater than the minimum set. Learn more about this in the sections below.

  • There’s no minimum or maximum password lifetime.

Log in attempts

Note that the maximum number of failed login attempts with a wrong password is 5. After that, the user will be blocked. A domain user with enough privileges should enable the blocked user again so they can access the domain.

Pool size

  • The pool size ensures that the complexity of the password is a combination of different symbols.

  • The default pool size is 53.

Supported character combinations and their corresponding pool sizes:

Combination

Pool size

Combination

Pool size

Upper/lower + decimal

36

Special character + digit

48

Upper + lower

52

Lower + upper + anything else

53

Upper + lower + decimal

62

Upper/lower + special character

64

Lower/upper + special character + anything

65

Upper/lower + decimal + special character

74

Lower + upper + decimal + special character

100

Entropy

The Password Entropy Formula is as follows:

L * log2(N)

Where L is the length of the password, and N is the pool of characters that the password contains. It measures the amount of trials needed to crack the password and is expressed in bits.

There are two problems with the original formula:

  • It doesn't take into account repetition, so aaaaaaaaaa and randomword are considered to have the same entropy.

  • The weight of the length is significantly larger than the logarithmic part, meaning 1234567890 and z%4j^* have the same entropy according to the algorithm.

Jaccard Index

The Jaccard Index compares passwords at the bit level, but it is possible for two passwords to have a Jaccard Index >0 while being completely different.

For example, consider two passwords of one character each: a and b. Each password is one byte long.

a can be represented as one byte of value 97. As a boolean array, it is: [false, true, true, false, false, false, false, true] 'b' can be represented as one byte of value 98. As a boolean array: [false, true, true, false, false, false, true, false]

Then, a set of integers is created for each password (this process is called shingling), where the values are the indexes of the true values in the boolean array. The indexes start at 0 from the most significant value.

'a': {1, 2, 7} 'b': {1, 2, 6}

The Jaccard Index is calculated as the count of the intersection (bits in common) divided by the count of the union (total unique bits).

JI = {1, 2} / {1, 2, 6, 7} = 1/2

Therefore, two completely different passwords have a Jaccard Index of 0.5.

Multi-factor authentication

Multi-factor authentication (MFA) adds an extra layer of security on top of the standard e-mail and password authentication for logins to Devo domains.

Enable MFA for a domain

  1. Go to the Authentication tab in Preferences → Domain preferences.

  2. If this method was not enabled, select the Active checkbox at the top-left of the form in the Password tab. Then, select the Active checkbox in the Multi-factor authentication (MFA) area below.

  3. Optionally, select Allow users to skip MFA configuration if you want to make MFA optional for your domain users temporarily. This can be useful to facilitate the transition to the use of MFA during logins. Once a domain user has set up MFA, they will no longer be able to skip it when they login to the domain.

  4. Click Update. From this point, when domain users log in, they will be prompted to set up MFA for their users. 

 

 

Log in using MFA

With MFA enabled, users will be prompted to set up this authentication method the first time they access the platform. To do so, they will need to download a token-generating app to their cellphones.  

This is the process for setting up MFA for the first time:

Once MFA is set up on your device, in addition to logging in with your username and password, you will also be prompted to enter a verification code generated by the authentication app on your phone during the login process.