IdentityBy Lynio-Support

Configuring Tenant Security Policies

Security Policies Overview

Lynio IAM provides extensive controls to protect tenant accounts and customize the user login experience. Tenant security settings are configured at the tenant level and apply to all users belonging to that tenant. Administrators manage these policies using the Settings tab within the Identity & Access Management section (/identity) of the LYNIO Console or via the Tenant Policy APIs.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication adds an essential layer of security by requiring users to verify their identity with a time-based one-time password (TOTP) from an authenticator application.

MFA Enforcement

  • Enforce MFA (mfa_enforced): When enabled, users who log in without MFA configured will be redirected to an "MFA Setup Required" page showing a generated QR code and a secret key. Users must configure TOTP before they can proceed.

Remembering Trusted Devices

  • MFA Remember Device Days (mfa_remember_device_days): Allows users to bypass the MFA verification prompt on trusted devices.
  • Mechanism: If set to a value greater than 0 (e.g. 30 days) and the user checks the "Remember this device" box during login, the system sets a signed JWT cookie named lynio_trusted_device on the user's browser.
  • Cookie Properties:
    • Name: lynio_trusted_device
    • Path: /
    • HTTPOnly: true
    • Secure: true
    • SameSite: Lax
  • Subsequent login attempts verify this cookie to validate the trusted status and bypass the MFA prompt. If set to 0, remembering devices is disabled and users must supply an MFA code on every login.

Password Strength & Complexity Policies

To prevent weak credentials, administrators can configure detailed password complexity constraints:

Complexity Requirements

  • Minimum Length (pw_min_length): Sets the minimum number of characters required for a password (defaults to 8).
  • Require Uppercase (pw_require_upper): Requires at least one uppercase letter ([A-Z]).
  • Require Lowercase (pw_require_lower): Requires at least one lowercase letter ([a-z]).
  • Require Number (pw_require_number): Requires at least one numerical digit ([0-9]).
  • Require Special Character (pw_require_special): Requires at least one non-alphanumeric character ([^A-Za-z0-9]).

Identity Data Filtering

  • Prevent User Data (pw_prevent_user_data): When enabled, the system prevents passwords from containing personal data. It checks case-insensitively that the password does not contain the user's first name, last name, or the username prefix of their email address (if the prefix is longer than 2 characters).

Password History & Reuse

  • Prevent Password Reuse (pw_prevent_reuse): Configures the size of the password history queue. If set to N (where N > 0), the user's password_history list will track the last N bcrypt hashes. When changing passwords, the system compares the new password's hash against the user's active history and current password, rejecting any matches. If set to 0, password reuse is allowed.

Password Expiration

  • Password Expiration Days (pw_expiration_days): Enforces periodic password changes.
  • Expiration Behavior: If set to N days (where N > 0), the system checks the time elapsed since password_changed_at. If it exceeds N days, the login API fails with a 403 Forbidden response and an error code of "PASSWORD_EXPIRED". The Console interface catches this error code and redirects the user to a password change screen. If set to 0, passwords never expire.

Account Lockout Policy

To mitigate brute-force and dictionary attacks, administrators can configure lockout thresholds for failed authentication attempts.

  • Lockout Threshold (lockout_threshold): The maximum number of consecutive failed login attempts permitted before the account is locked out. If set to 0, lockout is disabled.
  • Lockout Duration (lockout_duration_mins): The duration in minutes that the user is locked out.
  • Lockout Behavior: When failed attempts reach the threshold, the system updates the user's locked_until timestamp to the current time plus the lockout duration. Any login attempts before this timestamp will immediately fail with the error message: Account is locked. Try again later.. A successful login resets failed_login_attempts to 0 and clears locked_until.

Custom Login Page Branding

Administrators can customize the look and feel of the user login screen to align with organization branding.

  • Login Title (login_title): Sets the heading on the login form (defaults to "SIGN.IN"). It supports dot notation (e.g., COMPANY.CLOUD). The Console UI parses this notation, splitting the title at the dot to render the first part in bold and the second in standard font weight for a clean, modern style.
  • Login Background Image:
    • Supported Formats: JPG, JPEG, PNG, and SVG.
    • Upload & Storage: Files uploaded via the FileInput on the Settings page are posted to POST /api/v1/tenant/policy/background and saved locally inside the directory ./uploads/tenant_<tenant_id>_bg<ext>.
    • Branding Retrieval: The system serves the public URL as /uploads/tenant_<tenant_id>_bg<ext> and populates the login_background_url parameter retrieved via the GET /api/v1/tenant/policy endpoint.