Each domain has a domain security policy, a set of guidelines designed to protect an organization's information systems and data from security threats. It defines the rules and procedures that employees and systems must follow to ensure the confidentiality, integrity, and availability of information. A well-defined security policy helps mitigate risks, prevent data breaches, and ensure that all organizational members understand their role in maintaining security.

• Minimum Password Length: Minimum number of characters user must input to set password.
• Maximum Password Length: Maximum number of characters user can input while setting up the password.
• Require at least one uppercase letter: If turned on by the domain owner, every password must include at least one capital letter (A-Z) as part of its composition. This rule helps increase password complexity and security, making it more difficult for unauthorized individuals to guess or crack the password.
• Require at least one lowercase letter: If turned on by the domain owner, every password must include at least one small letter (a-z) as part of its composition. This rule ensures a mix of character types in the password.
• Require at least one number: Every password must include at least one numerical digit (0-9) as part of its composition.
• Require at least one non-alphanumeric character: Every password must include at least one special character that is neither a letter nor a number. Examples of non-alphanumeric characters include symbols such as !, @, #, $, %, ^, &, *, (, ), -, _, +, =, and others. This rule increases password complexity, making it harder to guess or crack.
• Enable password expiration: If enabled, passwords must be changed after a certain period. This practice helps maintain account security by ensuring that passwords are regularly updated, reducing the risk of compromised credentials being used over long periods.
• Prevent Password reuse: If enabled, users cannot use a previously used password when creating a new one. This rule is implemented to enhance security by ensuring that users create a new, unique password each time they reset or change their password.
• Login Lockout: A measure that temporarily disables user access to an account after a certain number of failed login attempts. This feature is designed to prevent unauthorized access attempts, such as brute-force attacks, by locking the account for a specified period or until further verification.
• Enforce 2FA for the whole domain: All users within the organization's domain must use two-factor authentication (2FA) to access their accounts. 2FA adds an extra layer of security by requiring not only a password (something the user knows) but also a second form of verification, such as a code from an authenticator app. This policy ensures that even if a password is compromised, unauthorized access to accounts is still prevented by the second authentication factor.
• Expire cookie when browser closes: Ensures that a session cookie is automatically deleted when the user closes their web browser. Session cookies are used to store temporary information, such as login sessions, while a user is browsing a website. By expiring these cookies when the browser closes, the system ensures that the user's session information is not retained beyond the current browsing session, thereby reducing the risk of unauthorized access if someone else uses the same computer. This setting enhances privacy and security by ensuring that sessions do not persist unintentionally.

• Minimum Password Age (in hours): After users reset the password, they need to wait for a period of time (Default value: 24 hours) to change the password again. For password reset (Forgot Password), the existing password reset email by user will continue to operate. There is no limit. Users can enter 0 to disable the functionality.
• Web Session Timeout (in hours): Refers to the total duration that a user session is allowed to be active, regardless of user activity.
• Mobile session expiry time (in hours): The duration that a user’s session on a mobile app or website remains active before automatically logging the user out due to inactivity.
• Desktop session expiry time (in hours): The period after which a user’s session on a desktop application will automatically expire due to inactivity.
• Web session idle timeout (in minutes): This specifically refers to the duration of inactivity after which a session will expire.
• Prevent concurrent active web sessions: Refers to a security policy that restricts users from being logged into the same account from multiple devices or browsers simultaneously.
• Configure IP Whitelisting: Restrict access to your web portal and Bizphone mobile login to only trusted IP addresses. Users need to be careful while performing this action as it will affect the whole domain.