# Security built-in

### <span class="mw-headline" id="bkmrk-password-policies-%28r-1">Password Policies (recommended)</span>

TS No-code Platform allows you to setup and enforce the use of strong passwords through an appropriate password policy. Specify attribute requirements that control complexity and lifetime of passwords such as:

- Minimum password length
- Special characters
- Maximum password age
- Maximum number of tries

The structural restrictions will be honored when

- The user changes his password
- A new random password is generated and sent

Passwords can also be set to expire after an amount of time.

**How to:** The polices can be changed in server configurations in the group *Password policies*

**Note:** The password polices will have no impact on SSO authentication

### <span id="bkmrk-"></span><span class="mw-headline" id="bkmrk-multi-factor-authent-1">Multi-factor Authentication (recommended)</span>

#### <span class="mw-headline" id="bkmrk-device-mfa-1">Device MFA</span>

TS No-code Platform offers native Multi-factor Authentication to protect against unauthorized access by requiring a user to provide multiple authentication factors to prove their identity. At present two different options are available:

- MFA using session-specific, one-time-passcodes sent to the users mobile phone via regular or Flash SMS 
    - You will need to create an account for sending SMS
    - Cost is approx. 0,30 DKK per message)
- MFA using a dedicated app from 
    - Apple
    - Google
    - Microsoft

SMS requires very little of the users, while App based MFA is considered (slightly) more secure.

**Note:** If using singlesignon (SSO) the MFA will not be used

#### <span class="mw-headline" id="bkmrk-location-mfa-1">Location MFA</span>

IP can be used as factor. In some cases slightly less secure, but much easier for the user.

Options include

- Country whitelisting (via IP)
- Static whitelisting of IP's
- Adaptive whitelisting of IP's

Adaptive whitelisting happens when the same user logs in from the same IP multiple times (typically 5).

IP MFA can be used together with normal MFA, so that SMS/App check is only required in case the IP is not whitelisted.

### <span id="bkmrk--1"></span><span class="mw-headline" id="bkmrk-geolocation-blocking-1">Geolocation blocking (optional)</span>

Geoblocking will allow the servers to deny requests from certain countries.

The geoblocking will match the clients IP against a Geo service. The county will be matched to the servers whitelist of country names.

**How to:** Change the system configurations starting with *ipBlocker*

- Activate setting **ipBlockerActive**
- Set allowed countries in **ipBlockerAllowedCountries**

### <span id="bkmrk--2"></span><span class="mw-headline" id="bkmrk-request-throttling-%28-1">Request throttling (optional)</span>

As specified in OWASP v4 system should be able to limit the amount of request a user can carry out in a system.

Limitations can be set on

- Pages hit
- WebDAV requests
- Upload (size/count)
- REST operations

**How to:** Edit server configurations starting with *limit*

### <span id="bkmrk--3"></span><span class="mw-headline" id="bkmrk-brute-force-preventi-1">Brute force prevention (optional)</span>

This protection is handled by not serving too many requests to the login page, regardless of the source in question. This will prevent brute force attacks on distributed accounts using multiple machines. In case the detection triggers, login requests will be ignored for at set amount of time, while already logged in users can continue their work.

**How to:** Define systems configurations starting with *brute force*

### <span class="mw-headline" id="bkmrk-additional-configura-1">Additional configurations</span>

- File whitelisting (uploadWhitelist)
- OWASP compliance (owaspCompliance)