About authentication validation rules

The Authentication Validation rule set determines whether a given authentication attempt is valid. The following authentication validation rules are available.

Warning: By default, these rules are configured to meet UKG's minimum product security standards. If your organization's rules exceed these standards, your organization's rules will take precedence.

MFA Authentication Frequency. If users opt to enroll in MFA, this rule determines how often users must log in using a second factor of authentication.
Number of Failed Logins. Determines the maximum number of failed login attempts that a user can enter. When the number of attempts is exceeded, the user is locked out of the system for a specified length of time. Also, the Locked Out indicator on the user's employee profile changes from No to Yes and an alert icon displays next to the indicator.
Password Expiration Check. Determines the number of days in which a user’s password expires and how many days in advance to send a notification message.
Password Reset Timeout. Determines how much time a user has to reset their password once they click the Forgot Password link.

Some authentication validation rule parameters specify security access level values. Depending on the rule, different values may be specified for Low, Medium and High access levels. For details on access levels, refer to About access levels.

To view an authentication validation rule, refer to Viewing authentication rules below.

MFA Authentication Frequency page contents

Name. The name of the rule.
ID. The unique ID that is assigned to the rule, for example, AV_MC_4.
Implementation Class. The category that the rule is assigned to.
Description. The description of the rule.
Low. The default value is 7 days. For details on which roles are assigned to the Low access level, refer to About access levels.
Medium. The default value is every (1) day. For details on which roles are assigned to the Medium access level, refer to About access levels.
High. The default value is every 4 hours. For details on which roles are assigned to the High access level, refer to About access levels.
Enabled. Whether the rule is enabled or disabled. The default is Yes.
Control Logic. Assign or remove rule control logic items. A rule control logic item determines the outcome of the application of the validation rule.

Number of Failed Logins Rule page contents

Name. The name of the rule.
ID. The unique ID that is assigned to the rule, for example, AV_MC_2.
Implementation Class. The category that the rule is assigned to.
Description. The description of the rule.
Max # of failed logins. Determines how many log in attempts the user is allowed before they're locked out of the system. If a user is locked out, the Locked Out field in the user's Employee Profile changes from No to Yes and an alert icon displays next to the field. Depending on the role's access level, the default may vary.
- Low. The default value is 5 attempts. For details on which roles are assigned to the Low access level, refer to About access levels.
- Medium. The default value is 5 attempts. For details on which roles are assigned to the Medium access level, refer to About access levels.
- High. The default value is 5 attempts. For details on which roles are assigned to the High access level, refer to About access levels.
Unlock after X Minutes (-1 = never). Determines the duration of time that the user is locked out of the system if Max # of failed logins is triggered. Depending on the role's access level, the default may vary.
- Low. The default value is 30 minutes. For details on which roles are assigned to the Low access level, refer to About access levels.
- Medium. The default value is -1. These users must contact a higher role to change their password in order to log in again. For details on which roles are assigned to the Medium access level, refer to About access levels.
- High. The default value is -1. These users must contact a higher role to change their password in order to log in again. For details on which roles are assigned to the High access level, refer to About access levels.
Enabled. Whether the rule is enabled or disabled. The default is Yes.
Control Logic. Assign or remove rule control logic items. A rule control logic item determines the outcome of the application of the validation rule.

Password Expiration Check Rule page contents

Name. The name of the rule.
ID. The unique ID that is assigned to the rule.
Implementation Class. The category that the rule is assigned to.
Description. The description of the rule.
Expire after (days). The number of days in which a user's password will expire. Depending on the role's access level, the default may vary.
- Low. The default value is 90 days. For details on which roles are assigned to the Low access level, refer to About access levels.
- Medium. The default value is 30 days. For details on which roles are assigned to the Medium access level, refer to About access levels.
- High. The default value is 30 days. For details on which roles are assigned to the Medium access level, refer to About access levels.
Notify (days) before (-1 = never). The number of days in which the system sends a notification message to the user prior to password expiration. The default is 14 days.
Enabled. Whether the rule is enabled or disabled. The default is Yes.
Expire Service Accounts after (days). Administrators must specify a value between 1 and 999 for the number of days in which a service account password will expire. Service accounts are related to the Web Services module; for details refer to Working with Service Accounts.
Exclude Service Account. Administrators use the Web Services module to add service accounts. Each service account requires a user ID and password. By default, the password expires after 30 days. If the Exclude Service Account option is specified as No, the Password Expiration Check Rule will be applied to service account passwords; if the option is specified as Yes, service account passwords will be excluded from the rule. By default, the option is No. Note that users cannot log in to service accounts using a web browser. For more about service accounts and Web Services, refer to Working with Service Accounts.
Control Logic. Assign or remove rule control logic items. A rule control logic item determines the outcome of the application of the validation rule.

Password Reset Timeout page contents

Name. The name of the rule.
ID. The unique ID that is assigned to the rule.
Implementation Class. The category that the rule is assigned to.
Description. The description of the rule.
Minutes. The number of minutes the user is allowed in order to reset their password after clicking the Forgot Password link. When the limit is reached, a timeout occurs. If the user hasn't reset the password before the timeout, they must start the process over by clicking the Forgot Password link again. Depending on the role's access level, the default may vary.
- Low. The default value is 60 minutes. For details on which roles are assigned to the Low access level, refer to About access levels.
- Medium. The default value is 60 minutes. For details on which roles are assigned to the Medium access level, refer to About access levels.
- High. The default value is 60 minutes. For details on which roles are assigned to the Medium access level, refer to About access levels.
Enabled. Whether the rule is enabled or disabled. The default is Yes.
Control Logic. Assign or remove rule control logic items. A rule control logic item determines the outcome of the application of the validation rule.

Viewing authentication rules

To view an authentication rule, take these steps: