Currently Acoustic has the following feature: Acoustic Campaign has a security feature that disables any user who has not logged in for the past 90 days.
Replace this disabling after 90 days of not logged in, by one of the following:
if MFA is enabled, no automatic disabling after 90 days
request a new confirmation on the email of the that user, after 90 days - if not logged in during 90 days
How will this idea be used?
Granted that on Cloud Systems security will have different needs and requirements. But this automatic disabling after 90 days makes ab-so-lu-te-ly no sense whatsoever. It's stated as a security feature: but I'm not what the added security is here? As partners we tend to have multiple accounts on multiple orgs: there is really no way to log into each and every one each 90 days. The problem is that once you need to access it, you first have to contact the Org admin - who often doesn't know he is it, and that's assuming he can do the change on the spot (because without it, you cannot log in and do the work you need to do). (1) You are already requesting confirmation codes when a new device/IP is being used: why not use that principle? So, if for 90 days a person has not logged in, request a new code. Email can be sent to the one registered at that user. (2) Alternatively, you can either enforce MFA. Or - even better - have users that have MFA enabled, drop the 90 days compliance. That user has already an added layer of security, so disabling his user after 90 days makes no sense. (3) Have a counter next to each user in the user management page, that tells how many days ago the last login for that user was. If client/Org wants to monitor/disable accounts that have not logged in a while (determined period), they can scan the list and update it (manually). |
|
What is your industry? | Professional Services |
What is the idea priority? | Medium |
Hello,
This idea is a bit old, but we do encounter the same issue in 2023.
As we are not really "clients" of Acoustic but more "partners", we manage many organizations for many clients.
And we are oftenly automatically blocked on our clients' organizations after 90 days without connecting to it, even when we are administrators on these organizations with the option "do not expire password" checked.
This can lead to important production issues on our side.
We don't have MFA activated but it would be great if after 90 days without connecting to an organization to be able to reconnect we would receive a code by email and have to enter it into Acoustic.
Another way of handling it would be sending an email to the user 7 days before the account is disabled to alert the user his account will be disabled.
Best regards,
Marine Chaumont