meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

admin:security [2026/05/18 06:19] – Initial content claudeadmin:security [2026/05/23 10:27] (current) – Add signup rate limiting section claude
Line 7: Line 7:
 ==== Enabling MFA (user) ==== ==== Enabling MFA (user) ====
  
-  - Log in and go to **My Profile → Security**+  - Log in and go to **My Profile -> Security**
   - Click **Enable MFA**   - Click **Enable MFA**
   - Scan the QR code with your authenticator app   - Scan the QR code with your authenticator app
Line 16: Line 16:
  
 If a user is locked out of their account (lost authenticator): If a user is locked out of their account (lost authenticator):
-  - Navigate to **Admin → Users → [User] → Security** +  - Navigate to **Admin -> Users -> [User] -> Security** 
-  - Click **Reset MFA** — this removes the TOTP secret+  - Click **Reset MFA** -- this removes the TOTP secret
   - The user can re-enrol MFA on next login   - The user can re-enrol MFA on next login
 +
 +===== Signup Rate Limiting =====
 +
 +LEAST automatically rate-limits signup attempts to prevent automated account creation.
 +
 +  * More than **10 signup attempts** from the same IP address within a **60-minute window** are blocked
 +  * **Disposable email domains** (30+ known providers including Mailinator, Guerrilla Mail, 10 Minute Mail, and similar services) are rejected at signup
 +  * Blocked attempts receive a generic error message -- no indication is given that the IP or domain is specifically blocked
 +
 +This requires no administrator configuration and is always active. If a legitimate user behind a shared or corporate IP is being incorrectly blocked, check **Admin -> Audit Log** filtering for signup events from that IP.
  
 ===== Session Security ===== ===== Session Security =====
Line 35: Line 45:
   * Badge issuance   * Badge issuance
  
-To view the audit log: **Admin → Audit Log**. Filter by user, date range, or action type.+To view the audit log: **Admin -> Audit Log**. Filter by user, date range, or action type.
  
 ===== Data Retention & GDPR ===== ===== Data Retention & GDPR =====
  
   * User data is retained indefinitely unless a deletion request is received   * User data is retained indefinitely unless a deletion request is received
-  * To anonymise a user's data (GDPR right to erasure): **Admin → Users → [User] → GDPR Wipe**+  * To anonymise a user's data (GDPR right to erasure): **Admin -> Users -> [User] -> GDPR Wipe**
   * This replaces personal data fields with ''****'' while preserving the audit trail structure   * This replaces personal data fields with ''****'' while preserving the audit trail structure
   * Collection records can be individually wiped via the [[developer:api|API]] using the ''gdprwipe'' function   * Collection records can be individually wiped via the [[developer:api|API]] using the ''gdprwipe'' function