As of 1 April (software version 4.5.141.0), we will introduce an enhanced security model within our platform.
Digital security is no longer a secondary concern but a fundamental requirement. Organisations are increasingly facing cyber incidents where system access is the starting point of larger problems. In many cases, such incidents do not arise from complex hacks, but from insufficiently protected access controls.
With the renewed security model, we structurally reduce this risk.
Why this step?
The digital world is changing rapidly, and organisations are increasingly confronted with cyber incidents. Notably, these incidents do not always result from advanced hacking techniques. Often, they start with something seemingly small: access to a system.
An open session, unlimited login attempts, or a weak password can already be enough to gain unauthorised access to sensitive data.
As a software provider, we believe these types of risks should not exist unnecessarily. Therefore, we are strengthening our access security and structurally eliminating potential vulnerabilities. By applying multiple layers of security, we ensure that system access is better protected and data remains secure.
With this step, we are actively investing in a safer digital environment for our customers.
What will change in practice?
1. Security profiles (Low, Medium, High)
From now on, we will work with clearly defined security profiles: Low, Medium and High. Security settings are centrally defined for each profile. This includes settings such as:
- Required password complexity
- Maximum session duration
- Use of multi-factor authentication (MFA)
This allows the security level to be aligned with the role and responsibilities of a user. The Medium profile will serve as the default setting. For accounts with elevated privileges, for example, the High profile can be applied. The security profile is configured at the user role level.
| Settings | High | Medium | Low |
|---|---|---|---|
| Use of multi-factor authentication (MFA) | Yes | No | No |
| Number of failed login attempts | 3 | 3 | 3 |
| Lockout duration (minutes) | Increasing | Increasing | Increasing |
| User blocked after inactivity (days) | 90 | 548 | 548 |
| Session duration (minutes) | 20 | 20 | 20 |
| Password history retained | 12 | 4 | No |
| Password expiry (days) | 60 | No | No |
| Minimum password length | 12 | 8 | 6 |
| Numbers required | Yes | Yes | Yes |
| Special characters required | Yes | Yes | Yes |
| Uppercase letters required | Yes | Yes | Yes |
| Lowercase letters required | Yes | Yes | Yes |
| Minimum number of unique characters | 6 | 4 | 4 |
2. Automatic session termination
Sessions are automatically terminated after 20 minutes of inactivity.
This prevents unattended workstations from retaining access to sensitive information. Active users are not interrupted; only when no activity occurs for 20 minutes will the session be closed automatically. This reduces the risk of unauthorised access through unattended screens.
In the apps, this works slightly differently. Users are not logged out immediately when the session time expires. Instead, they are asked to log in again once a month, or earlier if the app has not been used for two weeks.
3. Temporary lockout after multiple failed login attempts
When an incorrect password is entered several times in a row, the account will be temporarily locked.
This measure protects against automated login attacks (brute-force attacks), where passwords can otherwise be guessed repeatedly. By limiting the number of attempts, we reduce the likelihood that unauthorised users can gain access to an account.
4. Strengthened password policy
Password requirements can now be configured per security profile. This makes it possible to enforce stronger passwords for accounts with higher privileges.
In addition, passwords can be set to expire after a certain period, after which users must create a new password that complies with the rules of the assigned profile.
The table below illustrates approximately how long it can take to crack a password using modern software in a brute-force attack. The longer and more complex the password, the more difficult it becomes to crack.
| Password type | Example | Estimated time to crack |
|---|---|---|
| 6 digits | 483920 | Instant (< 1 second) |
| 8 lowercase letters | welcomea | A few minutes |
| 8 letters + numbers | welc0me2 | A few hours |
| 10 letters + numbers | team2026ab | A few weeks |
| 10 characters with uppercase, numbers, symbols | T3@m!2026x | Several years |
| 12+ complex characters | K9$hT2!qLp@7 | Thousands of years |
5. Support for multi-factor authentication (MFA)
Multi-factor authentication (MFA) adds an extra layer of security in addition to the password. This means that knowing a password alone is no longer sufficient to gain access to an account.
Within the High profile, MFA is mandatory by default. In other profiles, MFA can be enabled if required.
When MFA is configured, this verification is also required when changing a password. This means that a user must first verify their identity using MFA before a new password can be set. This prevents unauthorised users from gaining access to an account through a password reset.
Frequently Asked Questions
Why are different security profiles used?
Not every user has the same permissions or responsibilities. By using security profiles, the level of security can be aligned with the type of account. As a result, accounts with extended privileges can be assigned additional security measures, such as stricter password requirements or mandatory MFA.
Is multi-factor authentication (MFA) mandatory?
Within the High security profile, MFA is mandatory by default. In other profiles, MFA can be enabled by the administrator.
MFA adds an additional layer of security and is strongly recommended, especially for accounts with extended privileges.
What happens if a user enters the wrong password multiple times?
When an incorrect password is entered several times in a row, the account will be temporarily locked. This prevents passwords from being guessed indefinitely through automated attacks (brute-force attacks).
Â
The lockout duration increases step by step if multiple failed login attempts occur within a 30-minute period.
| Failed login attempts | Action | Lockout duration |
|---|---|---|
| 1–3 | No lockout | – |
| 4 | Temporary lockout | 1 min. |
| 5 | Temporary lockout | 5 min. |
| 6 | Temporary lockout | 15 min. |
| 7 | Temporary lockout | 30 min. |
| 8–9 | Temporary lockout | 60 min. |
| 10 or more | Unlock only via email reset | – |
After the lockout period, the user can attempt to log in again. If an account is blocked after 10 or more failed attempts, it can only be unlocked by performing a password reset via email.
Does the session duration also apply to the app?
In the app, this works slightly differently. You are not logged out immediately when the session time expires. Instead, you will be asked to log in again once a month, or earlier if the app has not been used for two weeks.
How can I adjust the security level?
The security level is determined by the security profile (Low, Medium or High) that is linked to a user role. An administrator can adjust this by applying the desired security profile to the relevant user role.
Is Single Sign-On (SSO) recommended?
Yes. When organisations use Single Sign-On (SSO), users log in through their own organisational account. Password management and access policies are then managed centrally within the organisation. This often provides additional convenience for users and makes it easier for organisations to manage access control and security policies centrally. For this reason, we recommend using SSO wherever possible.