Here at Knack, we take the security of your data very seriously. To help secure data in both the frontend and backend aspects of apps built with Knack, we’re happy to announce the release of some new Security Features for those on a Pro, Corporate, Enterprise, HIPAA or GovCloud plan!
To get the ball rolling here we’ll start with introducing some of the infrastructure changes on the builder side that’ll further help to prevent rogue access to the backend of your apps. Please note that these settings are not able to be altered, for builder security.
If on a HIPAA plan, after being inactive in the builder for more than 15 minutes, you will be prompted to let your browser know you’re still working, otherwise you’ll be logged out of the builder and presented with a login screen when you get back to your computer.
New password requirements have also been included for builder access, in order to help prevent the guessing of passwords. Any current passwords will remain untouched, but the next time your password is changed, or when creating a new builder account, the following new rules will take effect:
- A minimum of 8 characters
- Cannot include any common passwords or dictionary words
To go along with the Inactivity and new Password Requirements, to further prevent rogue access to the builder we’ve implemented failed login protection, AKA Brute Force protection.
After 3 failed login attempts within a 5-minute window, the builder account will become locked for 15 minutes or until the password is reset using the (forgot?) link on the login page. Please note that there is not a way for support to unlock these accounts to keep things secure.
Live App Changes
We’ve also implemented the same features with some additional options, if you’d like to apply some of these same security features enabled for the builder, in your Live App.
All of the following options are available under your app’s Settings > User Logins when user logins are enabled in your app, with the exception of Secure Browser, which is found under App Settings > Security.
For our HIPAA customers, some of these options will be defaulted to being on and are unable to be disabled, but other plans will have all options available to be enabled/disabled as needed.
When enabled, this will log out inactive users from your live app, based on the time settings you decide. This can be set for 1, 5, 10, 15, 30 or 60 minutes currently.
The messaging presented to your users can also be changed by updating the default text in the ‘Inactivity Message’ box:
By enabling options in this section, you can greatly increase the security of passwords set for users logging into your live app. The more items that are chosen, the more secure the password will be.
In addition to enabling minimum requirements, you can also choose to have your user’s passwords expire every 60 days. When enabled and their password is expired, upon the next login, a message of your choosing will display prompting the user to change the password. Until this is done, the user will not be able to log into the app.
To further add on here, if you’d also like users to come up with a unique password when resetting their password, you can enable the option to not ‘use the last 3 passwords’. This will prevent the user from using their three most recent passwords used. The warning messaging here is also able to be customized to help provide clear instructions to your users.
We’ve also brought the Failed Login features to the live app in order to prevent rogue users from gaining access to the data in your live apps. By enabling this feature and setting the options, you can choose how many attempts within a set interval, will cause your user to be locked out, and for how long.
When the user is locked out, you can also update the messaging to include instructions on what the user can do in order to log into the app.
In addition, you can also enable the ability for your users to request a password reset in order to unlock their ID, and/or send an email to the user alerting them to the fact in case it wasn’t really them logging in. That way they can alert an admin if needed.
We’ve also implemented a new way for you to force all live Apps to be redirected to the HTTPS:// equivalent of their site if a user were to access over the HTTP protocol. New apps by default should have this turned on while existing apps will have this turned off but is easily able to be enabled by going into your App Settings > Security and enabling the option.