Company-wide Passwords, 2FA and Session settings

Users with the role of Owner can manage company-wide password and session settings via the Data privacy & security tab within Settings. This enables organizations to align user access with their security policies.

This document provides instructions for configuring password settings, two-factor authentication, session inactivity timeout, and login failure/lockout rules for all users.

Configure password settings

Owners can define password settings to enforce regular password changes for Invicti Platform user accounts. They can also control whether users are allowed to reuse previous passwords and set the criteria for password expiration.

1. Select Settings from the left-side menu.
2. Select Security & Access control >Data privacy & security.
3. In the Password history field, input the number of unique new passwords a user must set before they can reuse an old password. Enter 0 if you don't want to enforce this setting.
4. In the Password max age field, input a number to determine how often users must change their password. For instance, entering 90 means users must change their Invicti account password every 90 days. Enter 0 if you don't want to enforce this setting.
5. Click Save at the bottom of the page.

Enable Two-factor authentication (2FA)

Enabling this option prompts all users to configure 2FA during their next login. For instructions on setting up 2FA, refer to Enable 2FA for your account.

1. Select Settings from the left-side menu.
2. Select Security & Access control >Data privacy & security.
3. In the Two-factor authentication section, select Yes to enable 2FA.
4. Click Save at the bottom of the page.

Session and lockout settings

This section allows you to set rules for automatic logout or account lockout in Invicti. You can configure parameters such as inactivity timeout, the number of failed login attempts, and the time frame for those attempts. Additionally, you can specify a lockout period, after which users can log in again if they were previously locked out of their accounts.

Configure inactivity session timeout

1. Select Settings from the left-side menu.
2. Select Security & Access control >Data privacy & security.
3. Scroll down to the Session and lockout settings section.
4. In the Inactivity Timeout field, input the number of minutes after which all user sessions will expire, prompting users to log in to Invicti again. Using the default setting of 0 will result in user sessions timing out after 10 hours.
5. Click Save at the bottom of the page.

Configure maximum consecutive login failures

1. Select Settings from the left-side menu.
2. Select Security & Access control >Data privacy & security.
3. Scroll down to the Session and lockout settings section.
4. In the Maximum Consecutive Login Failures field, input the number of consecutive login failures allowed for users before they are locked out of their Invicti account. Enter 0 if you do not want to enforce this setting.
5. Click Save at the bottom of the page.

Configure the time window

1. Select Settings from the left-side menu.
2. Select Security & Access control >Data privacy & security.
3. Scroll down to the Session and lockout settings section.
4. In the Time window field, specify the time period during which the specified number of consecutive login failures must occur. The default setting is 60 minutes. Enter 0 if you do not want to use this setting.
5. Click Save at the bottom of the page.

Configure lockout time

1. Select Settings from the left-side menu.
2. Select Security & Access control >Data privacy & security.
3. Scroll down to the Session and lockout settings section.
4. In the Lockout time field, input the number of minutes that must pass before a user can attempt to log in again after being locked out of their Invicti account. The default setting is 30 minutes. During this specified period, the user remains locked out. Enter 0 if you do not want to enable this setting.
5. Click Save at the bottom of the page.