Skip to main content

Authentication

Overview

FA's Authentication provides you with tools to flexibly control who can log in to your FA, track when and where your users have logged in, and what they have done within the system. Options for two-factor authentication, IP restrictions and tracking unsuccessful login attempts provides you with an extra layer of security. In addition, flexible user roles and permissions allow you to extensively control which features your users can use and what data they can see when they log in.

Functionality

Authenticate to the system

  • Authenticate with your user ID and password - with FA's authentication, each user logs in with their personal user ID and a password with length minimum eight characters.

  • Resetting a password - order a new temporary password from the login page with your user name, and reset your password when you log in the next time with the temporary password. Password reset can be disabled.

  • Two-factor authentication - the authentication mechanism can be extended with a second factor (i.e. two-factor authentication). The second factor can be a code generated by an authenticator or a one-time password, which user enters after successful log in with user name and password. Valid authentication requires that both steps are successfully passed. You can enable two-factor authentication through Google Authenticator, email, SMS or FIDO2, either on the system-level for all users or on user-by-user.

  • Freezing the account for unsuccessful login attempts - user ID is locked for an increasing period of time if the user types in an incorrect password too many times. During this time, user is not allowed to log in, and can try again only after the freeze time has passed. You can configure how many unsuccessful login attempts are allowed before the user account is frozen. Administrators can then unfreeze the account.

  • IP restrictions - allow your users to log in only from certain IP addresses or IP address ranges. You can set restrictions on the system-level for all users or on user-by-user

  • Information on new versions - when you log in for the first time after a version upgrade, you are presented with a popup with information about the new version.

  • Alternative authenticators - instead of FA's authentication, you can choose to use authentication through third-party identity providers such as Signicat Digital Identity and Signing and Microsoft Active Directory. The supported protocols for identity brokering are OpenID Connect v1.0 and SAML 2.0. In addition, user federation via LDAP / Microsoft Active Directory (AD) is supported as well.

Manage users

  • Add, modify and delete user information - store user ID, first name and last name, email address and phone number. Add one or multiple user roles to your user, determining access rights for you user. You can also link you user to a contact in the system, for example you can link an advisor user to an asset manager contact or an end user to a customer contact. Linked contact can be used to limit access to only certain customers and portfolios.

  • Activate and deactivate users - user's status allows you to mark your user as active, when the user is allowed to log in, or deactivate your user, when logging in is prevented.

  • Set a password - you can manually set a password to a user, or generate an eight-character long random password to a user. If you set a user's password, you need to communicate the password to your user manually.

  • Require a password reset on next login - you can require a user to reset their password, when the system asks for a new password on next login.

  • Unfreeze a locked user account - you can manually un-freeze a user account that has been locked for too many unsuccessful login attempts.

  • Override system-level preferences - you can override your system-level preferences on two-factor authentication and IP restrictions, allowing you to define these preferences user-by-user.

  • Follow last login dates and IP addresses - you can see per user their last login date and last login IP address, allowing you to see when and from where your users have last logged in.

Manage user roles and permissions

  • Define user roles - you can define as many separate user roles as you need to manage different kinds of access rights to the system. Your users can have multiple roles, allowing you to combine different rights under different roles. For example, you users can have a role for "back office", allowing them to perform your back office activities, but also have a role for "limited access", which allows them to access only certain customers and portfolios.

  • Enable and disable permissions - for every user role, decide what data the users within the role have the right to view, modify or delete, and which features and screens the users within the role have access to.

  • Content for each user role - configure what kind of content the user see and have access to when logging in. For FA Front, you can set up the entire navigation and screens per user role. For FA Back, you can enable screens in the navigation and share pre-saved sub-screens per user role.

  • Limit access to customers and portfolios - you can limit a user's access to only certain customers and portfolios when they log in. Users can either see only their own data, see other customers they directly represent (for example, advisors can access only their own customers' data or end user's can access also their companies' or children's data through limited visibility), or see other customers they represent through a common representative (for example, advisors can access customers' data within their office, country or another common group through extended limited visibility).