Passwords and Accounts

The Passwords & Accounts page enables administrators to review and configure settings for user accounts, passwords, physical devices, Remote Desktop Protocol (RDP), authentication requirements, authorized networks, and API Keys.

System Administrators use the SettingsPasswords and Accounts page to configure the authentication options.

NOTE:

You must be logged in as an administrator to view or edit Passwords & Accounts settings.

Access Passwords and Accounts Settings

  1. Navigate to System Administration > Authentication Settings.

  2. Select the Passwords & Accounts tab.

The page includes the following sections:

  • Password Settings

  • User Account Settings

  • Physical Device Authentication

  • RDP Settings

  • Nexus User Settings

  • Authorized Networks

  • API Keys Settings

  • Vendor Representative Settings

Settings display in read-only mode until you edit them.

Password Settings

Password Settings enables administrators to view and configure password requirements for all user types.

NOTE:

Changes to the system password policy apply to new User accounts, or to Users who reset their password.
To review the Password Policies for VPAM, navigate to the Password Policy documentation.

The following password requirements may be enabled:

  • Password cannot resemble User Name or User ID

  • Minimum password length

  • Require uppercase and lowercase letters

  • Require at least one number

  • Require at least one symbol

  • Ban frequently used passwords

  • Require password changes after a specified number of days

  • Prevent users from reusing previously used passwords

Enabled requirements display as selected.

Administrators can configure how often users must change their passwords. Administrators can also prevent users from reusing a specified number of previously used passwords.

  1. In the Password Settings section, select Edit.

  2. Update the required settings.

  3. Select Save Changes.

If the update is successful, the system displays a confirmation message and returns you to the Passwords & Accounts page. If the update fails, the system displays an error message and does not save the changes.

User Account Settings

User Account Settings enables administrators to view and configure policies that control account lifecycle management and account lockout behavior.

User Account Settings allows you to:

  • Disable Inactive and Not Registered accounts after a custom number of days.

  • Notify users before their account is disabled.

  • Send daily reminder notifications before account disablement.

  • Set the number of failed login attempts allowed.

  • Set the time window during which failed login attempts are counted.

  • Set the unlocking of an account to a time limit or a manual override.

  • Set the minimum length for a User ID.

  1. In the User Account Settings section, select Edit.

  2. Update the required settings.

  3. Select Save Changes.

If the update is successful, the system displays a confirmation message and returns you to the Passwords & Accounts page. If the update fails, the system displays an error message and does not save the changes.

Password and Account Policy Limits

The following limits apply when configuring Password Settings and User Account Settings.

Section

Setting

Allowed range

Password Settings

Minimum password length

6 to 32 characters

Password Settings

Password expiration

1 to 732 days

Password Settings

Password history

1 to 20 previous passwords

User Account Settings

Disable inactive accounts

1 to 1098 days

User Account Settings

Notify users before disablement

1 to 1098 days

User Account Settings

Failed login attempts

1 to 99 attempts

User Account Settings

Failed login time window

1 to 999 minutes

User Account Settings

Automatic unlock time

1 to 999 minutes

User Account Settings

Disable unregistered accounts

1 to 999 days

User Account Settings

Minimum User ID length

1 to 128 characters

Physical Device Authentication

Physical Devices Authentication enables administrators to provide a physical device as an authentication process for the server's users. When the Physical Device Authentication feature is enabled, users may or may not configure their device. Physical devices that users can use to authenticate are:

  • An Android device.

  • Biometric factors built into a computer, such as a fingerprint sensor on a Mac or facial webcam for Windows devices.

  • Hardware authentication devices, such as a YubiKey.

NOTE:

If email authentication is required for users to log in, they still need to retrieve an email token while logging in.

Users configure their device with the following process:

  1. Log in and navigate to Admin > My Account.

  2. Select Add Physical Device Authentication in the top right corner of the page.

    If the feature is not enabled, the system does not display this option.

  3. Select the authentication method you want to use.

  4. Follow the prompts to complete the setup.

    You can repeat the process to add multiple authentication methods.

RDP Settings

RDP Settings enables you to set the access you have to your customer's assets, specifically drives and printers, during a session. You can also enable your users to override your policy.

Nexus Users Settings

Nexus User Settings enables you to enforce Imprivata VPAM to validate that Multi-Factor Authentication (MFA) was met by Nexus Vendor Reps in their home CPAM server.

CAUTION:

When you select and save Require Multi-Factor Authentication from users, the change immediately requires all Nexus Vendor Reps to have met their home CPAM server's MFA Requirements. If your Vendor Reps have not already configured MFA in a way that Imprivata can validate that MFA is happening, the system will block their connection through the Nexus.
It is recommended that you communicate and schedule the MFA enforcement prior to making this change. Ensure that you share the Multi-Factor Authentication (MFA) Validation for Nexus Connections document to your Vendors before enforcing MFA.

Authorized Networks

Authorized Networks define approved IP addresses or ranges from which Internal User authentication is permitted to access the VPAM server. This means that your internal users must be connected to an authorized network to access the server. This setting does not impact external users, such as customers or vendor reps. A similar setting is available to configure networks for Vendors. Read the Vendor Networks section of Vendor Management.

When you configure Authorized Networks, your server does the following when a login attempt occurs:

  • If the source IP address matches a defined network, authentication proceeds.

  • If the source IP address does not match, the system blocks the login or enforces additional policy controls, depending on your configuration.

This control applies at the server authentication layer and governs access to the VPAM server and API access when network restrictions are enforced for API keys.

You can use the feature to add single IP addresses or a range of IP addresses.

TIP:

Use a slash (/) to avoid typing every single IP address when using a range. Follow the example XX.XX.XXX.12/24
This example automatically inputs 13 IP addresses, from XX.XX.XXX.12 to XX.XX.XXX.24.

Authorized Networks add a network-level security boundary in addition to standard authentication methods, such as passwords, directory services, SAML, and multi-factor authentication (MFA). Organizations commonly use this feature to:

  • Restrict Administrative Access: Limit administrator access to trusted networks, such as:

    • Corporate LAN ranges

    • Approved VPN address pools

    • Bastion or jump host networks

  • Enforce Corporate Network Access: Require users to authenticate only from:

    • On-network devices

    • Approved VPN connections

    • Managed infrastructure

  • Harden API Access: Restrict API key usage to approved systems, such as:

    • Designated application servers

    • CI/CD pipelines

    • Orchestration hosts

Imprivata recommends the following:

  • Confirm that your current IP address is included to prevent lockout.

  • Include all current and planned VPN IP ranges before enabling restrictions.

  • Maintain alternate administrative access, especially when using SAML.

  • Document corporate, disaster recovery, and cloud egress IP ranges.

  • Combine Authorized Networks with MFA for layered protection.

  • Review high availability (HA) and disaster recovery (DR) architectures to ensure all required systems are included.

  • Avoid overly restrictive configurations if:

    • External vendors require broad or dynamic access.

    • Users frequently authenticate from changing networks.

    • Public IP addresses are dynamic and unpredictable.

API Keys Settings

The API Keys Settings enable you to set rules for API Keys in your VPAM server. From this page, you can disable API Keys and set expiration dates for API keys and tokens.

Vendor Representative Settings

The Vendor Representative Settings enables you to Allow Self Registration to vendor reps, as long as they have an email address with an Authorized Domain. Read the Authorized Domain section in the Vendor Management documentation.

You can also configure two optional messages:

Configure the Vendor Representative Settings considering the following:

  • Require approval for Vendor Reps at Login: Vendor Representatives must request access to the system.

  • Require approval for Vendor Reps per Application based on the Application's Department: Vendor Representatives can log in. They must request access for each individual application.

  • Require approval for Vendor Reps per Application based on the Vendor's Department: Self registration requires approval before connecting.

  • No Vendor Rep Approval: Your server is open for any member with the Authorized Domain to access.