Sign-in Policies

Access to this feature can change based on your Quickbase plan. Learn more about feature availability and plans in Quickbase capabilities.

Quickbase lets you set up security around how and when your users access Quickbase applications in your realm. You can:

• Allow sign-in across sessions

• Limit the number of concurrent sessions per user

• Prevent users from signing in after failed sign-in attempts

• Set a timeout limit for sessions

• Specify inactivity timeouts

• Allow access from specified IP addresses only

• Enforce IP restrictions

To set your realm's sign-in policies:

1. On the My Apps page, click Manage name_of_realm, then click the Policies tab.

2. Set the following options in the Sign-In Policies section of the page:

Note: Realm policies, set using the Policies tab, do not apply when an external authentication system is implemented through LDAP or SAML.

Set session limits

Allow sign-in across sessions

You can allow users to access your realm without having to sign in each time. If you select Show "me signed in" option on sign-in then any user can check a box labeled Keep me signed in on this computer unless I sign out (located on the sign-in page). Users who turn this option on do not need to enter a user name and password to gain entry to your realm (unless they sign out).

Note: Allowing users to stay signed in can present a security risk. For example, an unauthorized person might gain access to the user's computer.

Limit the number of concurrent sessions

Realm admins can limit the number of concurrent active user sessions (separate times a user logs in to Quickbase). For example, if a realm admin sets a session limit of 3 and a user opens a fourth session, the oldest session will close automatically. This session limit can be set under sign-in polices on the Policies tab of the Manage Realm page.

Specify inactivity timeouts

You can set inactivity timeouts for active user sessions. Specify how many minutes of inactivity are allowed before a user is logged out, with a minimum time of 5 minutes. Users will be notified 60 seconds before their idle session closes.

On the realm policies page, under Sign In policies, select Enable timeout for inactivity and enter a time limit. The inactivity timeout setting applies to web browser sessions and mobile app sessions.

Set session expiration

With session expiration, Quickbase automatically closes out after the time limit you specify. This session expiration is not tied to inactivity. It’s meant to prohibit users from remaining signed in for long periods.

The session timeout requires users to sign in at any interval you choose. The session timeout is set to a default of 720 minutes (12 hours). You can change this at the realm level.

You can specify a session timeout that applies to all users in the Expire sessions after ____ minutes.

Limit sign-in retries

As Realm admin, you can define the number of times users are allowed to try to sign in to Quickbase with an incorrect user name/password combination. You can configure your Realm so that it locks a user's account after a specified number of failed sign in attempts. You can specify:

• The amount of time, in minutes, an account should remain locked. (The default is 10 minutes).

• The number of failed sign-in attempts that should result in an account lock out. (The default is 10 failed login attempts).

Note that, if you change how long an account should remain locked, your changes take effect immediately. So, if a user has been locked out of the system for 2 minutes, and you change the lock out time from 3 minutes to 10 minutes, the user will be locked out of their account for 8 minutes more.

If you want, you can configure your realm so that users are never locked out of their account. If you enter 0 for the amount of time an account should remain locked, the user will never be locked out, regardless of the number of failed sign-in attempts.

Require two-step authentication

With two-step authentication, a user signing in to Quickbase must provide two means of identification from separate categories of credentials: username/password combination and a security code provided via email. When this option is enabled, if the user enters a valid username and password, they are then prompted to enter their security code.

Setting SAML timeout session time

Quickbase SAML assertions support the certificate NotOnOrAfter attribute so IdP providers can control user session time.

You can control the session timeouts through the NotOnOrAfter attribute of your X.509 certificate or through the Quickbase Admin Console, on the Policies page.

If your certificate contains the NotOnOrAfter attribute, Quickbase uses that attribute for the session timeout. If not, then Quickbase uses your realm policies. If the realm-defined policies have not been set, Quickbase follows the default configuration of 720 minutes.

Allow access from IP addresses

You may restrict access to apps in your realm by entering a set of IP ranges here and requiring IP filtering at the app or realm level. You would typically do this so that only users signed into your corporate network could access some or all of your apps. IP addresses should be entered as a comma-separated list in Classless Inter-Domain Routing (CIDR) notation: xxx.xxx.xxx.xxx/yy

If this box is empty, any settings for requiring IP filtering at the realm or app level will have no effect.

Enforce IP restrictions

Select this option to limit access to Quickbase to users signing in from the IP address(es) specified in Allow access from IP addresses.

Related topics:

• Set realm password policy

• Deny access to your realm

• Set general user access levels in your realm

• Authenticate with LDAP