Mistake on this page? Email us

Security

Tip: You can perform all team management actions with the Account Management API.

To manage team security settings, in Team Configuration > Identity and security, click Change security settings.

You can edit:

  • Minimum password length: The hard-coded minimum is eight, so you can't set a value below that.

    Changing this value forces all users whose passwords are shorter to set new passwords at their next login attempt. (It does not close their current sessions.)

    This option is relevant only to users with a native Device Management account. If you're using a custom identity provider, the IdP must set this option. Mbed.com accounts can't set their own password length.

  • Session timeout in minutes: This means idle time; so long as a user is active, the session remains open, even if it exceeds the session timeout.

    Changing this value logs out any user whose session has been idle for longer than the new value, even if the user logged in before you made the change.

    This option is relevant to all users, even if they use a third-party IdP. The users remain logged in until the expiration of the lower of two possible values: their IdP's token validity or their session timeout. In other words, their session may be shorter than the timeout you set in Portal, but never longer.

  • Two-factor authentication: All users will have to install a token generator on their phones before they log in to Portal. They can select from a number of token generators, such as Google Authenticator, LastPass Authenticator or Microsoft Authenticator.

    If you enforce two-factor authentication, all existing users who have not set up a second factor yet will be logged out of their active sessions.

    This option is relevant only to users with a native Device Management account or an Mbed.com account. If your team is using a custom identity provider, the IdP must set up this option.

Any changes you made go into immediate effect, as explained for each option.

What to do if your account is compromised

The device and Device Management communicate by mutual authentication, using public and private key-pairs.

If an unauthorized user accesses the private keys, the user can compromise the security of your devices. If you suspect an unauthorized party has your device private keys, factory private keys or Device Management private keys, contact support immediately to identify the best course of action to minimize potential damage.

If you suspect your account credentials (email address and password) have been compromised, contact an administrator, who can revoke your access rights.