Security Standards

Extension designed to enforce proper security standards in VTiger. Our tool allows system administrators to force users to change their passwords every xx days, and implements secure password rules (one lower/upper case, number, special character).

In addition, it tracks successful and failed logins, and locks users after number of incorrect logins. It has built in capabilities to restrict user logins to one IP address, only allowing to login on one device.



The Secure Login can be configured by going to the CRM Settings > Other Settings > Enhance Security.

Lock user after X incorrect login attempts: Specify the number of failed login attempts, after which the login will be inaccessible/locked. (When the user is locked – a field in user “My Preferences” is set to Locked = Yes. To unlock the user – system admin would have to uncheck that field for locked user).

Force Change password after (days): User is forced to reset his password after the specified number of days, every time.

Require Secure Password: Secure password must have; (At least one Upper and lower Case, At least one Number, At least one Special Character (! @ # % ^ & * ? . ,), if all options are enabled.

Enable 2 Step Authentication: allows system admins to add an extra layer of security for the CRM. This is explained in details later in the section “2 – Step Authentication”

VTiger Login Tracker:  To restrict users’ login activities. Following options are available that can be enabled/disabled according to the requirements:

* Only one user can be logged into one user account – restricts to 1 session of the user at a time.

* You can log on only one IP address – locks the user to be able to login from only 1 IP address.

* Session expiration time (in minutes) – user gets logged out after the specific time.

2 – Step Authentication

The feature allows system admins to enable 2 – factor authentication for VTiger users. Once its enabled, when some user logins to his account from a new IP, the system asks for a unique authentication code that is sent to the registered email address for that user.

Configuration of 2 – Step Authentication

Active: Enable or disable the 2 – factor authentication for VTiger users upon login

[dt_highlight color=”green”]Email Message[/dt_highlight]: Set the text of the email which will be sent with the code. Include the command $authentication_code$ that will be converted to random code per email

Remember for X Days: this is the number of days for which you allow users to login without the need of 2 – step authentication code. Set it to ‘0’ – so every time a user logs in, he/she will require the code to be entered

Lock User after X attempts: This is the number of wrong attempts after which the user will be locked and won’t be able to take another try to login. If you do not want to lock the users, leave this field blank

[dt_highlight color=”green”]Email Message[/dt_highlight]: This email template will be created to be sent when a user is locked. An Email will be sent to admin and user that the account is locked due to excessive number of failed attempts to login

Automatically unlock user after X minutes: Set the time in minutes after which the locked users will be unlocked automatically and won’t need admins to unlock them

Excluded User: This is the fail-safe passage in case your email stops working. The user selected here will be excluded from the 2 – factor authentication restriction and will unlock other users, given they are locked and emails are not working. Note that only users with admin privileges can be selected here – as they will need to access the settings of the “Secure Login” extension

Working of 2 – Step Authentication

Once you’ve configured the 2 – factor authentication for users, they will be asked for the code upon the first time they will login. The code will be sent to the email address registered for that user. Standard Outgoing server needs to be working for the emails to be sent. If its not working for some reason, the “Excluded user” can always login and disable the 2 – step authentication.

If a user enters wrong code for more than the allowed attempts, the user gets locked. After that, either an admin user can unlock the locked user from the settings of Secure login extension, or the user has to wait for the time (if configured) to be allowed again to try and login with the correct code.

Note: Once a user is locked, only the system admin can unlock it.

List of All Login Attempts (successful/unsuccessful)

Under the Secure Login Settings is the list of all the login attempts that had been made on the said account. It shows the details of the signed in user such as:

IP address of the attempter

Operating system on the PC from which the try was made

Internet browser being used

Date & time of the login attempt

User on which the operation was executed

Status of the attempt whether it was a successful attempt or a failed one.

Once a login attempt is made, the code that’s sent to user’s email is shown here. It also shows successful or failed codes entered while logging in – i.e. either the code was accepted or rejected.

Note: You can lock/unlock a user and see the last date of password changed from “My Preferences” for that user.