Security policies

For Fusion to be compliant with your organisation’s security policies, you can now configure a custom security policy which users must comply with.

*Before v24.5 of Fusion, the ‘Security policy’ was known as ‘Password policy’. However, as more security-related functionality was added, it made sense to rename this functionality.

Fusion’s default security policy has rules such as a minimum length of password 8 characters, a mixture of uppercase, lowercase, numeric, and symbol characters to create secure passwords. However, some clients have a more strict password policy in play and require their users to create more stringent passwords. Additionally, since v24.5 there are additional security-related configurations which can be specified, such as a list of passwords/phrases that can’t be used in passwords

Setting a security policy

If you wish to enable a Security policy for your system, follow the below steps:

*To enable a Security policy, your login must have the ‘Configure security policy’ permission. This is typically only available to logins with the Administrator role applied.

1. Once logged into Fusion Back Office, navigate to System settings > Logins.
2. Click the Security policy button from the top-right of the screen.
   
3. Click the Add policy button from the bottom-left corner of the Security policies window.
   
4. Configure as required:
   
   • Start date: The date the created policy will be enforced. (Required)
   • Minimum password length: Created passwords must equal or exceed this value. (Minimum 6)
   • Minimum lowercase characters: Created passwords must contain at least this many lowercase (a-z) characters. (Minimum 1)
   • Minimum uppercase characters: Created passwords must contain at least this many uppercase (A-Z) characters. (Minimum 1)
   • Minimum numeric characters: Created passwords must contain at least this many numeric (0-9) characters. (Set to 0 to turn off)
   • Minimum symbol characters: Created passwords must contain at least this many symbols (e.g. £$&*!%@) characters. (Set to 0 to turn off)
   • Login name check: The password must not contain this many sequential characters from the username. For example, if this is set to 5 and the username is ‘admin’, a password of ‘Admin@123’ would not be allowed but ‘Adm@123in’ would be ok. (Set to 0 to turn off)
   • Minimum password age (days): This setting stops the user from changing their password if the password is not at least this many days old. This is typically used when a policy does not allow a user to re-use any of the most recent (e.g. 5) passwords. Setting this value to 1 would stop a user changing their password more than once on the same day in an attempt to get back a password they were using previously. Admins can still set a password for the user manually during this period if required. (Set to 0 to turn off)
   • Maximum password age (days): After this many days have passed since the user set their password, they will be forced to change when next log in. This does not affect a user logging into the PoS using a PIN, card or fingerprint. (Maximum allowed is 365 days. Set to 0 to turn off)
   • Maximum number of previous passwords: When set, a user cannot use one of their last ‘x’ passwords. For example, setting this to 5 would mean that a user cannot use one of their 5 most recent passwords. (Maximum value is 12. Set to 0 to turn off)
   • Account inactivity lockout: When a user is logged into the back office or the Fusion PoS when enabled, the account will be locked when there has been no activity detected for the configured number of minutes.
   • Restricted words: Allows you to manage a list of commonly used words/phrases that you do not wish to allow users to use as part of their password. Note: Any logins using any of these words as part of their password, will be made to change their password upon their next successful login.
   • Maximum incorrect password attempts: When a user attempts to log in unsuccessfully, their account will be locked after the configured number of failed attempts.
   • Account lockout period: If an account becomes locked, this specifies how long the account will be locked. Note: An admin user can unlock a locked account manually from within the Logins screen.
5. You can test your created password policy on the right-hand side of the window. Once you are happy with the created policy press the Save button.
6. Press Done to complete the process.

*Things to note: Unless a Security policy has been created, the existing policy will continue to be used. After a policy has been created, any new passwords created on or after the start date must meet the rules specified. Any users logging in, on or after the start date of a policy, will be forced to change their password if it does not meet the new policy requirements.

Managing security policies

After a policy has been configured, you may wish to create a new one, edit an existing one, or even remove one and return to the default policy. These options are available within the Security policy screen which is accessed via the login screen discussed above.