Peakon provides different security options to make sure that the access to your account is safe and protected. We recommend the following best practices, in order to reduce the risk of a security breach.
Enforce stronger passwords
Peakon uses an advanced algorithm called zxcvbn, developed by Dropbox. It uses a set of algorithms to estimate the number guesses required to successfully find a password.
There are no explicit rules on length, uppercase/lowercase and symbols like other password requirements. When entering a new password in Peakon, the error message will help you pick a strong password and explain why a given password is not secure enough.
In addition the following is not allowed to be included in the password:
- Your first name, last name or email address in the password
- The word "peakon"
- Characters in sequence, either in the alphabet or on the keyboard, e.g. "abcde", "12345" or "qwerty"
- Very common passwords, e.g. "P@ssword1".
Peakon requires that the password must not be guessable in less than 100,000,000 attempts. Coupled with the login-retry policies in Peakon, that ensures that it will take around 200 years on average to guess a password.
Avoid sharing your authentication details
We recommend not sharing your email address and passwords with others, to avoid any security breach. Beware also of the many social engineering methods out there that manipulate users, so they provide their confidential information such as passwords or get computer access via malicious softwares.
When using the standard authentication method it is possible to change the password by going to your profile and click on Change password tab.
If you don't remember your password, you can get a new one by clicking on 'Forgot Password?', which will prompt the user to submit the email address, and the system will send an email containing the link to reset the password.
In the case you are using Single Sign On, a third party authentication system, you can reset your password through this service instead.
Set up Two-Factor authentication
It is possible to set up Two-factor authentication (also known as 2FA or MFA) method to login into your Peakon Dashboard. This secures your account against attacks, as you'll require both your password and a login code that will be sent to your phone, through Authy app.
To set it up, follow these steps:
- Go to your Profile, by clicking on your name at the top-left of your dashboard;
- Select the 'Security' tab;
- In this tab enter your phone number in the 2-factor authentication section;
- You will receive an SMS containing a link to install Authy on your phone;
- Once installed the app, you can enter the token into the field under Security tab and click 'Finish'.
Monitor your active sessions
Any user can review active sessions in their own Profile under Security> Active sessions, which shows detailed information of the current sessions across different devices. it is possible to terminate a specific session listed, by clicking 'Log out of session'. Doing this, will log out the user authenticated through that specific session.
Keep an eye your account activity sessions
In your profile under Security > Your account activity history, you can monitor different account events such as survey/schedule updates, integration changes, dashboard access. The events are tracked by time, browser/OS, location and IP address and allows you to track many of the important updates happening in your account.
Consider using Single Sign-on (SSO)
In addition to the default authentication method provided by Peakon, it is also possible to configure up Single Sign-on, which authenticates users from your own external database and can replace any other login option. This allows users to login with the same credentials across multiple application and services. For users this means that they will be prompted to authenticate against an external directory first, and then they can access to Peakon through the directory's listed apps. You can read more on how to configure single sign-on here.
Revoke shared dashboard in case of breach
Dashboards can be easily shared to employees through a generated link. It is a good practice to revoke access to these dashboards, if you believe they have been shared outside of your organisation. Administrators can revoke them by going to Settings > Sharing tab and click 'Revoke all' or "Revoke" next a specific dashboard.
Ordinarily review your Access Control settings
It is recommended to review user access to the organisation's dashboard at least once a month to ensure that the Access Control groups are up to date and that employees who have left the Company, are not granted access anymore.