Articles in this section

Account Manager: Tenant Configuration

Avatar
Ryan M
Updated

Tenant Configuration is an admin-only section of the Account Manager tool. This section allows Account Admins to view the name on file for their tenant, change users’ session timeout interval, and customize tenant-level multi-factor authentication (MFA) settings.

Tip

A tenant refers to your organization's distinct web address within the Filevine platform. Each tenant represents a separate account with its own users, Org(s), projects, data, and settings.

To learn more about the common terms found in Filevine, read our glossary.

Tenant Name

View the name on file for your Filevine tenant under the Name header. The name displayed here also displays to your users when they sign in. If you need to change your account name, reach out to Filevine support.

Tenant Name

Session Timeout

When a user’s session expires, they are taken back to the login page and required to reauthenticate by logging in. Sometimes, sessions expire because the 24 time-to-live (TTL) is reached, and sometimes happens after the Refresh session timeout is reached.

Account Admins cannot change the TTL interval, which expires after 24 hours. However, they can adjust the Refresh session timeout period, decreasing the likelihood of login-based interruptions during their chosen time frame.

By default, this timeout period is set to 1 Day. To change the interval, expand the “Session Timeout” dropdown menu and select the desired frequency. The timeout interval can be no greater than 3 Months. For more guidance, read the Best Practices section below.

Session Timeout dropdown

Again, a longer timeout interval does not guarantee that a user will not need to reauthenticate for the entire interval. Instead, the user is less likely to be interrupted by re-authentication requests during that time—but may still be prompted to reauthenticate when the TTL interval expires.

Use Case Example

Below is an example of how a longer session timeout might work. A longer session timeout does not guarantee that a user will not need to re-authenticate for that time period, but it does make the user less likely to have their work interrupted.

In this example, an Account Admin has selected a session timeout frequency of 6 days.

  • DAY 1: the user logs in at 7:00 AM by entering their credentials.
  • DAY 2: the user starts usage at 6:55 AM. They are still logged in to the system, and their usage triggers a silent refresh. At 7:00 AM, they are still working without interruption.
  • DAY 3: the user doesn’t start until 7:05 AM. The system acknowledges that they do not have a valid access token, and they are required to enter their credentials and log in.
  • DAYS 4-8: the user starts at 7:00 AM. Their access token was silently refreshed each day. 
  • DAY 9: the 6 day session timeout, which began with the login on day 3, expires. The user is required to log back in by entering their credentials.

Best Practices

Session timeout frequencies should be a balance between convenience and security. Shorter session timeouts generally enhance security, because they log users out more quickly when they are inactive. However, longer session timeouts are less disruptive and more convenient for users, since they decrease the frequency of when users are required to log in.

Additionally, if you are using a SAML provider, the session timeout frequency should be matched to your SAML provider.

MFA Management

All password-based Filevine users are required to verify their email and set up at least one additional multi-factor authentication (MFA) method. During login, users must enter a password and a verification code from one of their MFA methods. Learn more about MFA.

In the MFA Management section, Account Admins can decide which MFA methods their users are allowed to set up, and how long users can dismiss MFA on a trusted device.

Allowed MFA Methods

Under the Allowed MFA Methods header, you can see which of the following two methods are allowed for your users. (Email is automatically enabled as a backup method for all users, and cannot be disabled.)

  • Text (SMS): sends verification codes to the user via SMS text message.
  • Authenticator app: prompts the user for the verification code from an authenticator app on their smartphone (like Okta, Microsoft Authenticator, etc).

Allowed MFA Methods

At least one of these methods must be enabled. By default, both are enabled.

To disable a method, click Edit. In the modal that appears, uncheck the method you want to disable. This action causes the other remaining method to be force-enabled—you will not be able to disable that method unless you first re-enable both methods.

For example, if you uncheck Allow Text (SMS) verification, you will not be able to uncheck Allow Authenticator app. To disable the authenticator app method, you’ll first need to re-enable the Text (SMS) method.

In the modal, Text (SMS) verification is unchecked. Consequently, Authenticator App is force-enabled.

Click Save. The disabled method will be deleted for any users who set it up. These users will be required to set up the other method on their next login, if they haven’t set it up already.

Returning to the previous example, users who only set up the Text (SMS) method will be required to set up an authenticator app on their next login.

Allow Device to Be Remembered

Under the Allow device to be remembered header, you can view whether users are currently allowed to “trust” a device (temporarily dismissing MFA prompts on that device), and if so, how long the “trust duration” lasts until they are again prompted for MFA.

Allow device to be remembered

If toggled off, users will be required to enter an MFA code every time they sign in.

If toggled on, users will see an option to Remember this device while entering their MFA code. They can select this option to temporarily skip MFA on that device until the trust duration expires.

Remember this device

The trust duration can be as short as 7 days, or as long as 90 days. To set or change the duration, expand the “Trust duration” dropdown to choose the desired interval.

Trust duration dropdown

This setting is similar to, but not interchangeable with, the session timeout interval. The session timeout determines how long until the user signs in again, while the MFA trust duration determines how long until they enter an MFA code while signing in.

For example, let’s say the session timeout is set to 5 days, and the trust duration is set to 14 days. On Monday, a user signs in with their password and verification code, and they select Remember this device. The following Monday, their session has timed out, but their trust duration is still active. They sign in with their password only—no MFA code needed.

Comments

0 comments

Article is closed for comments.

Related articles