As part of our initiative to make HappyFox more secure, we have introduced new features that aim at preventing unauthorized access to the application.
The following features are now available for all HappyFox users (contact & staff)
HappyFox enforces a temporary 60 minute lockout period if a staff or contact enters invalid credentials consecutively for 5 times. The login screen displays the attempts remaining for a user before a lockout is triggered.
Unsuccessful staff login
Unsuccessful contact login
In the event of a lockout, the agent/contact is automatically notified via email. The email contains the following information for last successful login and for the past 5 unsuccessful login attempts
Operating System details
Once an account is locked out, the agent/contact can do either of the following
Wait for 60 minutes so that the account lock is automatically released
Send an automated email request to the administrator/s requesting manual unlock
When an agent/contact is locked out of HappyFox, their active HappyFox sessions remain unaffected. New sessions i.e., new login attempts will be restricted (including SSO logins).
Manual account unlock request for contact
This action is available to all agents who have “Unlock Staff” managerial permission.
Staff who have been locked out of HappyFox can be identified using the lock icon against their names in Manage >> Staff page. On clicking unlock, a confirmation popup is shown. Successful unlock of a staff sends an email notification to the staff that their account has been unlocked by the administrator.
This action is available to all agents who have “Unlock Contact” managerial permission.
Contacts locked out of HappyFox can be identified using the “lock” icon against their names in the Contacts list page. On opening the details page of the contact, the “unlock” action will be visible.
Contact list page in HappyFox classic
Contact detail in HappyFox classic
Contact list page in the new version of HappyFox
Contact detail page in the new version of HappyFox
In addition to a lockout mechanism, unsuccessful login attempts in both contact and staff login screens will now ask the user to verify themselves via a Captcha flow. The captcha flow is powered by Google’s reCAPTCHA service that uses an advanced risk analysis engine. This effectively helps prevent against automated malicious login attempts.
Successful captcha verification in Staff login page
reCAPTCHA asking for user verification during contact login