In this article:
Passwords | MFA | SSO | Security alerts | Failed logins | User activity

User security

XLReporting enforces multiple levels of security and access control. The below article gives an overview.

Passwords

XLReporting only accepts strong passwords of minimum 12 characters using a combination of lowercase and uppercase letters, numbers, and symbols. We do this in accordance with the OWASP guidelines for secure web applications.

Passwords are set to automatically expire after 180 days.

You can renew your password anytime you wish.

We highly recommend that you use a Password Manager to generate and remember the password for you.

MFA (Multi Factor Authentication)

Multi-Factor-Authentication (MFA) creates an extra level of security when logging into XLReporting. In addition to email and password, you will be prompted to enter a code that is displayed on your mobile device. You can use any (OTP-based) mobile app such as Google Authenticator, Microsoft Authenticator, Twilio Authy, LastPass etc. By default, each user can decide whether or not to activate MFA.

As an administrator, you can also make this mandatory for your tenant, which will prompt all your users to activate MFA (if necessary) the next time they login. This ensures optimal MFA usage, also for users that have access to multiple tenants. Read more.

SSO (Single Sign-On)

In addition to login with username and password, we also support "Single Sign-On" (SSO) which delegates the user authentication and login to an external identity provider that supports the OpenID Connect protocol. This gives you a single and unified management of all users in your company. Read more.

Security alerts

Whenever changes are made related to user access, such as (but not limited to) password changes, changing MFA, logging in from a new device etc, XLReporting will send the user an email to notify of this fact, with date and time, and approximate location and IP information. This helps users to be in full control over their account.

If you receive such an email, we recommend you take the following steps:

  1. First, you should carefully check whether you recognise this activity. Our email will provide approximate location and IP information. Please note that the location is approximate, based on the IP address that was used. This information is derived from network and telecom providers, and whilst it may give a fair indication of country and geographic region, it may not always be accurate regarding the city.
  2. If you still have access to your account, check the User Activity in Manage - Profile - Actions to make sure it is all your own activity.
  3. In case of doubt, change your password with immediate effect, and contact your company administrator or the XLReporting support team.

Failed logins

If our systems detect a pattern of failed login attempts on a user account, that account will be automatically and immediately locked. XLReporting will send the user an email to notify of this fact, with steps to check their account is not compromised, and re-activate their account.

Inactive users

Inactive user accounts are a potential security risk. For that reason, our systems automatically lock user accounts that had no activity for a certain period of time. XLReporting will send the company administrator an email to notify of this fact. It is up to the administrator to decide whether to re-activate the user, or delete the account permanently.

User activity

Via Manage - Profile - Actions, users can see a detailed overview of all their activity, including logins, logouts, which reports they ran, and which changes they made.

Recommended reading:
Back to top | Manage profile | Manage users | Responsibilities

We value your privacy

We use cookies to enhance your browsing experience and analyze our traffic.
By accepting, you consent to our use of cookies.

Accept Reject Cookie Policy