Security Settings

The Security Settings tab manages authentication and access control features to protect your Borderbolt organization from unauthorized access.

Two-Factor Authentication (2FA)

Enable Two-Factor Authentication

Require users to authenticate with a second factor in addition to their password.

Authentication Method: Time-based One-Time Password (TOTP)

How It Works:

1. User enters username and password (first factor)
2. System prompts for 6-digit code from authenticator app (second factor)
3. Code must match server-generated TOTP based on shared secret
4. Access granted only when both factors are valid

When Enabled:

• All users must set up TOTP on next login
• Authenticator app required (Google Authenticator, Authy, Microsoft Authenticator, etc.)
• Backup codes provided for account recovery
• Cannot bypass 2FA once enabled

When Disabled:

• Password-only authentication
• Users who previously set up 2FA can still use it (optional)
• Less secure but more convenient

Supported Authenticator Apps

Any TOTP-compatible authenticator app works:

Recommended Apps:

• Google Authenticator (iOS, Android)
• Microsoft Authenticator (iOS, Android, browser extension)
• Authy (iOS, Android, desktop)
• 1Password (with TOTP support)
• Bitwarden (with TOTP support)

Setup Process:

1. User navigates to Profile → Security
2. Clicks “Enable Two-Factor Authentication”
3. Scans QR code with authenticator app
4. Enters 6-digit code to verify setup
5. Saves backup codes securely
6. 2FA enabled for account

Backup Codes

When enabling 2FA, users receive 10 single-use backup codes.

Purpose:

• Access account if authenticator app is lost or unavailable
• Each code can be used only once
• New codes generated when all are used

Best Practice: Users should save backup codes in a secure location:

• Password manager
• Printed and stored in safe
• Encrypted file backup

Session Management

Session Timeout

Automatically log users out after a period of inactivity.

Default: 60 minutes (1 hour)

How It Works:

• Timer starts when user stops interacting with Borderbolt
• Any page click or action resets timer
• When timeout reached, user is logged out automatically
• User must re-authenticate to continue

Timeout Values:

Considerations:

• Shorter timeouts increase security but may frustrate users
• Longer timeouts improve usability but increase unauthorized access risk
• Unsaved work is lost on timeout (use auto-save features)

Best Practice:

• Use 15-30 minutes for shared/public computers
• Use 60-120 minutes for personal workstations
• Use 480 minutes for trusted, single-user environments

Remember Me

Users can optionally check “Remember Me” on login to extend session.

When Enabled:

• Session lasts 30 days (or until manual logout)
• Session persists across browser restarts
• Cookie stored on user’s device

When Disabled:

• Session expires when browser is closed
• Session timeout still applies

Security Note: “Remember Me” is less secure on shared devices. Educate users to only use this on personal devices.

IP Whitelisting

IP Whitelist

Restrict access to Borderbolt to specific IP addresses or ranges.

Format: Comma-separated list of IP addresses or CIDR ranges

Examples:

Single IP: 203.0.113.10
Multiple IPs: 203.0.113.10, 198.51.100.20
CIDR Range: 203.0.113.0/24
Mixed: 203.0.113.10, 198.51.100.0/24

When Configured:

• Only requests from whitelisted IPs are allowed
• Requests from other IPs receive 403 Forbidden error
• Applies to all users
• No exceptions or bypasses

When Left Blank:

• All IPs are allowed
• No IP-based restrictions
• Standard authentication still required

Use Cases

Office-Only Access:

203.0.113.0/24

Only users on office network can access Borderbolt.

Office + VPN:

203.0.113.0/24, 198.51.100.50

Office network + VPN exit IP.

Specific Workstations:

203.0.113.10, 203.0.113.11, 203.0.113.12

Only three specific computers can access.

No Restrictions (default):

(leave blank)

Any IP can access (authentication still required).

Testing IP Whitelist

Before Enabling in Production:

1. Identify your current public IP: https://whatismyipaddress.com 
2. Add your IP to whitelist
3. Save and verify you can still access
4. Test from different location (should be blocked)
5. Add other authorized IPs
6. Document whitelist configuration

Troubleshooting Access:

• If locked out, contact your system administrator
• System administrator can update these settings directly in the database if needed

Additional Security Features

Password Requirements

Borderbolt enforces strong password policies:

Minimum Requirements:

• 8 characters minimum
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one special character

Best Practice: Users should use unique passwords (not reused from other sites) and store in password manager.

Password Reset

Self-Service Reset:

1. User clicks “Forgot Password” on login
2. Receives password reset email
3. Clicks link in email (valid 60 minutes)
4. Sets new password meeting requirements
5. Old password invalidated

Admin Reset:

• Admins can force password reset for users
• User receives reset email
• Must set new password on next login

WebAuthn Passkeys

Borderbolt supports WebAuthn for passwordless authentication.

Supported Methods:

• Hardware security keys (YubiKey, Titan, etc.)
• Platform authenticators (Face ID, Touch ID, Windows Hello)
• Passkeys (iCloud Keychain, Google Password Manager)

Setup:

1. Navigate to Profile → Security
2. Click “Add Passkey”
3. Follow browser prompts to register device
4. Passkey can now be used for login

Benefits:

• More secure than passwords (phishing-resistant)
• No password to remember or steal
• Faster login experience
• Supports biometric authentication

Audit Logging

All security events are logged for audit purposes:

Logged Events:

• Login success/failure
• Password changes
• 2FA setup/reset
• IP whitelist changes
• Session timeouts
• Unauthorized access attempts

Log Retention: 1 year

Access Logs:

• Admins: Settings → Security → Audit Logs

Best Practices

Security Hardening Checklist

Essential (All Environments):

• ✓ Enable 2FA for all users
• ✓ Set session timeout to 60 minutes or less
• ✓ Enforce strong password requirements
• ✓ Review user permissions quarterly
• ✓ Monitor audit logs for suspicious activity

Recommended (Production):

• ✓ Configure IP whitelist for office/VPN access
• ✓ Reduce session timeout to 30 minutes for sensitive roles
• ✓ Enable WebAuthn passkeys for Admin users
• ✓ Require password changes every 90 days
• ✓ Implement principle of least privilege (minimal permissions)

Advanced (High-Security):

• ✓ IP whitelist to specific workstations only
• ✓ Session timeout 15 minutes
• ✓ Mandatory WebAuthn for all Admin/Manager roles
• ✓ Disable “Remember Me” functionality
• ✓ Implement SOC 2 or ISO 27001 controls

User Education

Train Users On:

• Importance of unique, strong passwords
• How to use authenticator apps
• Safeguarding backup codes
• Recognizing phishing attempts
• Reporting suspicious activity
• Logging out on shared devices

Regular Security Reviews

Monthly:

• Review user access logs for anomalies
• Check for failed login attempts
• Verify IP whitelist is current

Quarterly:

• Audit user permissions and roles
• Review and update IP whitelist
• Test 2FA and WebAuthn functionality
• Update security documentation

Annually:

• Comprehensive security audit
• Penetration testing
• Review and update security policies
• Security awareness training for all users

Updating Settings

1. Navigate to Settings → Security
2. Toggle “Enable Two-Factor Authentication” on/off
3. Set session timeout in minutes
4. Enter IP whitelist (comma-separated, optional)
5. Changes save automatically on blur
6. Test changes with test user account before deploying to all users

Permissions

To edit security settings, users must have the Settings permission. This is typically assigned to:

• Admin role

To view audit logs, users must have the Audit Logs permission.

Related Configuration

• User Management - Manage user accounts and permissions
• Roles & Permissions - Configure role-based access
• Company Settings - General organization configuration

Troubleshooting

Users Locked Out After 2FA Enabled

Problem: Users cannot log in after 2FA is enabled organization-wide.

Solutions:

• Provide advance notice and setup instructions before enabling
• Share setup guide with QR code scanning steps
• Ensure users have authenticator app installed beforehand
• Admin can disable 2FA for specific user if needed: User Management → Edit User → Disable 2FA
• Provide IT support during rollout period

IP Whitelist Lockout

Problem: Admin accidentally whitelisted wrong IPs and is now locked out.

Solutions:

• Contact your system administrator to clear the IP whitelist settings directly
• Test whitelist in staging environment before production
• Always include your current IP when first configuring
• Document current IPs before making changes

Session Timeout Too Short

Problem: Users complain about frequent logouts disrupting work.

Solutions:

• Increase session timeout to 60 or 120 minutes
• Educate users on “Remember Me” for trusted devices
• Implement auto-save for critical forms
• Review if timeout is necessary (non-sensitive data)
• Consider different timeouts for different roles

Lost Authenticator App

Problem: User lost phone or authenticator app, cannot access account.

Solutions:

1. User provides backup code (if saved)
2. If no backup codes, Admin must reset 2FA:
   • User Management → Edit User → Reset Two-Factor Authentication
   • User logs in with password only
   • User must re-enable 2FA and save new backup codes
3. Verify user identity before resetting 2FA (security check)
4. Document incident for audit trail

Failed Login Attempts

Problem: Multiple failed login attempts in audit logs.

Solutions:

• Check if legitimate user forgot password (offer reset)
• Potential brute force attack - verify IP address
• Consider IP whitelisting to block unauthorized IPs
• Enable rate limiting for login attempts
• Review security logs for patterns
• Alert security team if sustained attack detected
• Consider temporary IP ban for excessive failures