Only application admins have the ability to create user profiles. This is performed through the Usernames and Passwords administration panel. A new user is created by submitting his or her email address. This action creates a random password, which is displayed to the admin one time only and a simple document containing this information for the end user. The admin is responsible for delivering this document to the end-user securely.
Only admins have the ability to reset a user’s password if the user is unable to login for some reason. This is performed through the application Usernames and Passwords administration panel.
To reset a password, the admin selects the user from a list, edits the profile and selects the option: generate new password. Similar to creating a user initially, the admin is displayed a new random password for the user_one time only and a simple document containing this information for the end user. The_admin is responsible for delivering this document to the end-user securely. {{#if mfa_disabled}} {{else}}
The server may be configured to require users to login using a two-factor authentication token in addition to username and password.
Two-Factor Authentication (2FA) is implemented by requiring the entry of a time-based token at login time. Commonly available authenticator smartphone apps are used by users to generate this token. Users will see this token referred to in the app as a one-time token.
Each user and admin profile has a unique_2FA secret generated when a new profile is created, or if reset by the administrator. The administrator does not get to see this secret, and it is stored in the database in an encrypted format.
The first time that a user logs in after creation of a profile or reset of the 2FA secret they are presented with a two-factor authentication configuration page. This page provides a convenient QR Code barcode used by smartphone authenticator apps to set up a profile for future token generation. Once a token is entered and validated this first time the secret can not be viewed again and must be reset by an administrator if the user is no longer able to use it. To reset the secret, the admin edits the user profile and selects the option: Reset two factor auth {{/if}}
A user's account will be locked if their password is not changed for more than {{password_age_limit}} days. To simplify administration, admins may unlock accounts that have expired in this way, for an additional 5 days. This provides the user sufficient time to login with their existing password and change it without additional admin intervention. To perform this, edit the user's account and check Unlock expired account.
A user's account will be locked if they fail to login correctly {{password_max_attempts}} times. They can wait {{password_unlock_time_mins}} minutes and their account will automatically unlock. Alternatively, the admin may unlock the account immediately by editing the account and checking Unlock failed password attempts
A user has the ability to change their own password. After logging in to the application, an option to change the password is made available in the menu. This requires both the current and new user passwords to be entered.
Similarly, an admin has the ability to change their own password. After logging in to the application management panel an option to change the password is made available. This requires both the current and new admin passwords to be entered.
Passwords, whether automatically generated by an admin, or changed by a user, must meet specific rules based on the server configuration:
- Minimum characters: {{password_min_length}}
- Maximum characters: 72
- Does not match email address
{{#if password_regex_requirements}}* Matches a specific pattern
{{password_regex_requirements}}{{/if}}
Optionally, an entropy calculation may be defined to enforce password complexity. This is harder for some users to meet, but does enforce complex passwords where users make use of password managers that generate long, complex passwords. The minimum entropy score is "{{password_min_entropy}}". If this is 0 or blank then the entropy calculation is ignored.
Calculation of an entropy score is performed (if configured), and is reduced for:
- Repeated characters
- Words appearing in Linux dictionary words file
- Words in a list of common passwords
- Words appearing in any part of the email address
A user profile can be disabled by an admin through the Usernames and Passwords admin panel. This action prevents a user from logging in or attempting to change her password.
In the future, an admin can re-enable a user profile if needed.
There is no way to delete a user profile from the application. This ensures that all data records created or updated by a user retain a reference to the profile responsible for editing them.
An admin can set an Account Expiration date and time on a user profile. This provides a way to grant temporary access that automatically expires without requiring manual intervention.
When an expiration date is set:
- Before the expiration date: the user can log in and use the application normally
- After the expiration date: the user is prevented from logging in and receives a message that their account has expired
- During an active session: if the expiration date passes while a user is logged in, they will be signed out on their next request to the server
To set an expiration date, edit the user profile in the Usernames and Passwords admin panel and enter a date and time in the Account Expiration field. To remove the expiration and allow indefinite access, clear the field.
Note: account expiration is independent of password expiration. A user's password may still expire based on the password age limit even if no account expiration date is set. Similarly, setting an account expiration does not extend or override the password expiration policy.
A user profile can be configured for API access only, allowing automated systems or scripts to make authenticated API requests without needing to complete two-factor authentication (2FA) setup interactively.
When creating or editing a user, an admin can check the API access only option. This has the following effects:
- 2FA is auto-confirmed: the user's account is immediately marked as having completed 2FA setup, so API requests using token authentication are not redirected to the 2FA configuration page
- A password and API token are generated: the user receives a random password and API authentication token, displayed to the admin one time only
- UI login is blocked: the user cannot log in through the web browser login form — attempts will be rejected with a message indicating the account is for API access only
After creating or updating an API-only user, the admin is shown the user's email address and API token. The show user information document link displays a printable credential document containing these details. Unlike regular users, the credential document for an API-only user does not include a password or 2FA setup instructions, since these are not relevant.
An API-only user authenticates requests by including their email and API token as query parameters or headers. See the API documentation for details on making authenticated API requests.
An admin can toggle the API access only setting on an existing user:
- Enabling API access only on a regular user auto-confirms 2FA and blocks UI login
- Disabling API access only resets the user's 2FA, requiring them to set up an authenticator app on their next interactive login
The user list in the Usernames and Passwords admin panel includes an API Only column, making it easy to identify which users are configured for API-only access.