Authentication
Overview
FA's Authentication provides you with tools to control who can log in to your FA, track when and where your users logged in, and what they did within the system. Options for two-factor authentication and tracking unsuccessful login attempts provide you with an extra layer of security. In addition, user roles and rights allow you to extensively control which features your users can use and what data they can see when they log in.
Functionality
Authenticate to the system
Authenticate with your user ID and password - with FA's authentication, each user logs in with their personal user ID and a password fulfilling the password policy.
Resetting a password - reset your password via a password reset link you can order from the login page.
Two-factor authentication - the authentication mechanism can be extended with a second factor (i.e. two-factor authentication). The second factor is a code generated by an authenticator app, which the user enters after successful login with username and password. Valid authentication requires that both steps are successfully passed.
Freezing the account for unsuccessful login attempts - user ID is locked for an increasing period of time if the user types in an incorrect password too many times (i.e. brute force detection). During this time, the user is not allowed to log in, and can try again only after the freeze time has passed. Administrators can then unfreeze the account.
Alternative authenticators - instead of FA's authentication, you can choose to use authentication through third-party identity providers such as Signicat Digital Identity and Signing and Microsoft Active Directory. The supported protocols for external identity providers are OpenID Connect v1.0 and SAML 2.0. In addition, user federation via the LDAP and Kerberos protocols are supported, e.g. Microsoft Active Directory (AD).
Manage users
Add, modify and delete user information - store username, first name, last name, and email address. Add one or multiple user roles to your user, determining access rights for your user.
Link user to a contact in the system - you can link your user to a contact in the system, for example you can link an advisor user to an asset manager contact or an end user to a customer contact. Linked contact is used to limit user’s access to only certain customers and portfolios. You can add a linked contact manually, or you can automate the linking when your users login through an external identity provider.
Activate and deactivate users - user's status allows you to mark your user as active, when the user is allowed to log in, or deactivate your user, when logging in is prevented.
Require a password reset on next login - you can require a user to reset their password, and the system asks for a new password on next login.
Unfreeze a locked user account - you can manually unfreeze a user account that has been locked for too many unsuccessful login attempts.
Follow last login dates and active sessions - you can see per user their last login date and currently active sessions, allowing you to see when your users have last logged in and if they are currently logged in.
Allow your internal users to manage their own user account - each internal user can manage their own user account details once they have logged in. This includes name, email address, password and two-factor authentication setup.
Manage user roles and permissions
Assign user roles for your users - you can select one or multiple user roles for each of your users to control which applications, screens and features they are allowed to access and use. In addition, user roles can be automatically assigned through a customization based on linked contact’s characteristics or information received through an external identity provider.
Manage user roles and user rights - you can add, edit and delete user roles, and group them into departments. You can define which rights are associated with each role role.
Limit access to customers and portfolios - you can limit a user's access to only certain customers and portfolios when they log in. Users can either see only their own data, see other customers they directly represent (for example, advisors can access only their own customers' data or end users can access also their companies' or children's data through limited visibility), or see other customers they represent through a common representative (for example, advisors can access customers' data within their office, country or another common group through extended limited visibility).
Access different parts of the system
Navigate between applications - you can navigate between the different applications you have the right to access through the Global App Bar.
Share content in FA Back with different user roles - you can share certain content in FA Back, for example saved search views or report packages, with the different user roles defined in the system.
Information on new versions of FA Back - when you log in for the first time to FA Back after a version upgrade, you are presented with a popup with information about the new version.