MIDAS Documentation v4.22
Manage Security Settings
The Security settings screen may be accessed via MIDAS Admin Options → Manage MIDAS → Security.
Minimum password lengthAll users will have to choose a password of at least this number of characters.
Force Password Change Every X DaysAll users will be required to change their password every X days.
Offer to save credentials?Give users the option to save their login credentials, language and theme selections in the browser they are currently using for the next time they access MIDAS.
Password Reset links are valid forWhen a user initiates a password reset request, by default the reset link contained within the subsequent password reset email sent to them is only valid for 2 hours. If the user fails to click the link in their email to reset their password within this time frame, the link expires and the user would need to generate a new password reset request again. This setting allows you to change how long these emailed password reset links remain valid for.
Enable Two-Factor Authentication?
WARNING: This feature relies on the ability for your MIDAS system to send email. Therefore, please ensure that you have configured the email settings and verified that you can successfully receive emails from your MIDAS system before enabling this feature, otherwise you and your users will be unable to login
Two-Factor Authentication requires all users to log in with an additional authorization code sent to their registered email address each time they log in with their regular MIDAS credentials.
Important: Two-Factor Authentication is only effective if users use a different password for MIDAS to the passwords they use to login to their email server/client
Info: Two-Factor Authentication is disabled when Single Sign-On (Active Directory integration) is in use
Inactivity forces logout afterAutomatically logs out users if they have been idle for the defined period.
Always force logout afterAutomatically logs our users after a pre-defined length of time, regardless of their activity.
Allow Multiple Logins By Users?If selected, each user will be able to be logged in from multiple browsers/devices at the same time. If not selected, a user will only be able to be logged in from one browser/device at any one time (logging in from another browser/device will automatically logout the previous session).
Please Note: The ability for user accounts to be logged in from multiple browsers/devices simultaneously is not available on systems licensed for a just single user account
Max Invalid Login AttemptsTo prevent unauthorized access and "brute force" attacks, your MIDAS can automatically "suspend" an account if a certain number of consecutive login attempts fail. Once an account becomes "suspended", the user who owns that account is sent an email containing a link allowing them to restore access to their account. Additionally, an administrator with sufficient privileges can "unlock" a suspended account via the Manage Users & Permissions.
Allowed IP RangeFor increased security, you can limit who can access the MIDAS login page, based upon their Internet IP address, irrespective of whether they have a valid login for MIDAS.
You can restrict access to a single IP address, or an IP range. This can be useful if MIDAS is hosted on a public web server, which potentially could be accessed by anyone worldwide. MIDAS' "Allowed IP Range" setting can be used to restrict access to users in your own country, organization, or to just you!
IPs are made up of a set of 4 numbers, each ranging from 0-255. These four numbers are each separated by a period (dot) character, and together form an IP address. For reference, MIDAS also displays your current IP address in the security screen.
By default, the "Allowed IP Range" setting in MIDAS is set to *.*.*.*
Warning: Proceed with extreme caution when restricting access to MIDAS based on an IP address/range - if you're not careful, you could lock yourself out of MIDAS completely!
Warning: If you are restricting access to a single IP address, such as your own, ensure that you have a static IP that will not change, and not a "dynamic" IP, which may periodically change, resulting in you being locked out of MIDAS
SSL AccessIf the server hosting MIDAS allows for secure (https://) connections, the SSL Access setting will allow you to encrypt your browser's connection to the server, reducing the risk of any data being intercepted during transit. Options are:
DisabledForce all users to connect to MIDAS via http://
EnabledAllow users to access MIDAS via either http:// or https://
ForcedForce all users to connect to MIDAS via https:// (http:// connections will be replaced with https:// connections)
Warning: Do not "Force" MIDAS into SSL mode if your server doesn't accept secure https connections as you will lock yourself and others out of MIDAS completely! When you alter this setting, MIDAS will attempt to verify that secure https connections can be made to the server. If you select "Forced" and MIDAS cannot determine that your server accepts secure https connections, it will default down to "Enabled"
PrivacyIf the "Honor user's Do Not Track preference" option is selected and the user is using a web browser which supports the Do-Not-Track privacy setting, then MIDAS won't log the user's IP addresses in the Recent Activity log if the user has the "Do-Not-Track" setting enabled in their browser.
Security AuditPerforms an "on-demand" audit on your current security settings. When run, a number of key metrics of your MIDAS system will be analyzed (including your MySQL setup, MIDAS files, and recommended MIDAS settings) and a detailed report generated with appropriate suggestions and advisories for improving the overall security of your MIDAS system.
MIDAS Knowledgebase: Tips for keeping your MIDAS secure