In a recent release there were some significant enhancements to the security of your Insight website and we wanted to let you know about the changes which will enable you to make your site more secure using multi-factor authentication.
Multi-factor authentication for the Web Office
Users frequently re-use passwords, which means that if one site is compromised and passwords are stolen, then the hacker potentially has access to numerous other sites where the same password was used.
Multi-factor authentication significantly reduces the risks associated with this because in order to log in, we check something you know (a password) and something you have (a device). A hacker may have your password, but they cannot log in without being able to enter the 6-digit code generated by your smartphone or another device.
Multi-factor authentication will be off by default so there will be no changes for your users unless you choose to enable it, which we highly recommend. In this update, multi-factor authentication only applies to web office logins.
Improved process for resetting passwords
In order to reset their password, a user can request a secure link to be sent to their registered email address. We will no longer be sending passwords in emails under any circumstances.
Log in with your email address instead of your login name if you prefer
To make it easier to remember login details, you will now be able to use your email address instead of your login name. Login names will still work if you prefer!
Notification when you log in on a new device
When an account is used on a different device to normal, we will send the user an email to let them know.
Account console in the Web Office
There will be a new account popup in the Web Office which will allow you to see all your recent logins, and the device and browser they originated from. This will also be a one-stop shop for changing your password and setting up multi-factor authentication.
We are removing the ‘Lowest’ and ‘Low’ options from the password strength site settings which allowed extremely weak passwords. Any sites that are currently using these settings have been moved up to ‘Medium’ strength, and users whose passwords don’t meet the new criteria will be forced to change at next login when this update is released. We are also making a small change the ‘Highest’ password level – additionally requiring a punctuation mark. A small number of users on sites already using this password strength may be required to change their passwords as a result.
Log in with a Google domain account
For sites who have a GSuite domain account, site administrators will be able to permit users to use their Google login to access their account in the Web Office.
What do I need to do now?
Review your system email text
As we are no longer sending passwords in emails, several system emails will need to be updated to remove placeholders for passwords, and to ensure the placeholder for the secure link is in place.
At release time, we will be running automated updates to ensure emails are correct where possible, but this may not work well if you have heavily edited or formatted the email templates.
Consider your security We highly recommend that you get ready to turn on multi-factor authentication for your site after the release, particularly if you use Insight to store personal data for your members. You could also take the opportunity to review who has access to your data.
Let your administrators and users know what’s happening
If your password security is currently set to ‘Low’ or ‘Lowest’ then some of your users may be forced to change their password the next time they log in. You may wish to let your members know about this.
If you are planning to switch on multi-factor authentication then you will need to make sure that any of your volunteers or staff who use the Web Office know what they need to do. We have put together some really short videos to help with this.
For users without smartphones, there are desktop apps or they can receive an SMS message (charges will apply on your monthly bill). Alternatively, for users who have limited permissions, you may consider turning off multi-factor authentication on an individual basis.