Appearance
Security Settings
Security Settings help you protect your agency's GovPayPlan account and maintain compliance with security requirements.
Accessing Security Settings
- Navigate to Settings > Security
- Administrator role required
Multi-Factor Authentication (MFA)
What is MFA?
MFA adds an extra layer of security by requiring a second form of verification beyond the password.
Supported MFA Methods
- Authenticator App (Recommended): Google Authenticator, Authy, etc.
- SMS: Text message codes
- Email: Email verification codes
Enabling MFA for Your Agency
- Navigate to Settings > Security > MFA
- Toggle Require MFA to On
- Select allowed MFA methods
- Set grace period for users to enroll
- Save
MFA Policies
| Policy | Description |
|---|---|
| Required for all users | All users must enable MFA |
| Required for admins only | Only admin roles require MFA |
| Optional | Users can choose to enable MFA |
User MFA Enrollment
When MFA is required:
- User logs in and is prompted to enroll
- User selects their MFA method
- User completes verification setup
- MFA is active for future logins
Password Policies
Configurable Requirements
| Setting | Options |
|---|---|
| Minimum length | 8-32 characters |
| Require uppercase | Yes/No |
| Require lowercase | Yes/No |
| Require numbers | Yes/No |
| Require special characters | Yes/No |
| Password history | Prevent reuse of last N passwords |
| Maximum age | Days before password must change |
Setting Password Policy
- Navigate to Security > Password Policy
- Configure requirements
- Save changes
TIP
Stronger password policies improve security but may increase support requests. Balance security with usability.
Session Management
Session Timeout
Configure automatic logout after inactivity:
- 15 minutes (high security)
- 30 minutes (recommended)
- 60 minutes (standard)
- Custom duration
Concurrent Sessions
Control multiple logins:
- Allow unlimited sessions
- Limit to N sessions per user
- Single session only (logout previous on new login)
Session Settings
- Navigate to Security > Sessions
- Set timeout duration
- Configure concurrent session policy
- Save
IP Restrictions
IP Allowlist
Restrict access to specific IP addresses:
- Navigate to Security > IP Restrictions
- Click Add IP Address
- Enter IP or CIDR range
- Add description
- Enable allowlist
Managing IP Restrictions
| Action | How |
|---|---|
| Add IP | Enter IP and description |
| Remove IP | Click delete next to IP |
| Disable temporarily | Toggle allowlist off |
WARNING
Be careful with IP restrictions. Incorrect configuration can lock out legitimate users.
Login Security
Failed Login Lockout
Configure account lockout after failed attempts:
- Number of attempts before lockout
- Lockout duration
- Notification on lockout
CAPTCHA
Enable CAPTCHA for login:
- After N failed attempts
- Always required
- Disabled
Audit Logging
What's Logged
GovPayPlan automatically logs:
- User logins and logouts
- Failed login attempts
- Password changes
- Permission changes
- Configuration changes
- Payment transactions
- Refund actions
Viewing Audit Logs
- Navigate to Security > Audit Log
- Filter by:
- Date range
- User
- Action type
- Export as needed
Audit Log Retention
Configure how long logs are retained:
- 90 days (minimum)
- 1 year (recommended)
- 7 years (compliance)
- Custom
Compliance
PCI-DSS
GovPayPlan is PCI-DSS compliant. Your responsibilities:
- Protect user credentials
- Maintain access controls
- Monitor for suspicious activity
- Report security incidents
Security Certifications
GovPayPlan maintains:
- PCI-DSS Level 1
- SOC 2 Type II
- Regular penetration testing
Security Best Practices
- Enable MFA for all users
- Use strong passwords with complexity requirements
- Review access regularly
- Monitor audit logs for suspicious activity
- Keep contact info current for security notifications
- Train users on security awareness
Incident Response
Reporting Security Issues
If you suspect a security issue:
- Contact your agency administrator immediately
- Document what you observed
- Do not attempt to investigate yourself
- Contact GovPayPlan support
Emergency Actions
Administrators can:
- Disable all user accounts
- Revoke API keys
- Enable emergency MFA requirement
- Lock down IP access
Related Topics
- User Management - Manage user access
- Roles & Permissions - Configure access controls