Setting Up Login Options

The Login Setup window allows administrators to set login defaults for your firm, such as the mode of authentication (either CCH Axcess or Federation Services), session timeout parameters, and password configuration.

Notes:

New firms and firms using the CCH Axcess or Federation Services method can no longer select to use the Active Directory® method. This method will be removed in the near future. Until then, firms who already use Active Directory® are not impacted by this change.
For firms that prefer to use Active Directory® authentication, we recommend using the Federation Services method. New Federation Services implementations should be the Passive type. The Active type is only available to firms who have previously set up that type.

To set up your login configuration, do the following:

Open Dashboard, click Application Links on the navigation panel, and then click Firm settings and defaults under Firm.
Click Login Setup on the navigation panel.

Select a login mode, and then set the configuration options for that mode.

CCH Axcess.

Component	Description
Session timeout due to inactivity	Select the length of time with no activity before CCH Axcess closes and a new login is required. You can select 20 or 30 minutes.
2-Step Verification configuration	2-Step verification cannot be disabled. Note that the verification process is specific to the user, device, and browser. See FAQs about 2-Step Verification for more information. Select options for the following: SmartPhone Authenticator. By default, all staff members have the option to authenticate by receiving a verification code by text or voice message. Select this check box if you want to allow staff to use an authenticator application supported by CCH Axcess to complete verification. For more details, see SmartPhone Authenticator Overview. Trusted Devices. Specify whether users can set their devices as trusted devices. Select Never trust devices if you want users to complete 2-Step Verification every time they log in from any device. Select Require reauthentication of trusted devices every if you want to allow trusted devices. Then, select the time frame and basis you want to use for determining when users must complete 2-Step Verification again on a trusted device. The time frame can be 7, 15, or 30 days. Select After the last 2-Step Verification as the basis if you want users to reauthenticate on a set schedule. Show me an example. Example: You have selected for users to reauthenticate every 30 consecutive calendar days on their trusted devices. Paula logs in to her new laptop for the first time on September 1 and selects to make it a trusted device. She continues to log in daily on the same device. She will be prompted to complete 2-Step Verification again on October 1. Select After the last valid login as the basis if you want users to reauthenticate when they use a different computer, web browser, or have not logged in to a trusted device for a specified number of days. Show me an example. Example: You have selected for users to reauthenticate 30 days from their last valid login on a trusted device. Harvey logs in and completes 2-Step Verification on his personal laptop for the first time on September 1. He continues logging in daily on this computer through September 10. Each day that he successfully logs in restarts the 30-day time frame. So, while on by September 1 his verification was valid until October 1, on September 10, the 30-day verification window has been extended until October 10.
Password expires after	Set the period of time up to 90 days before user passwords must be changed.
New password cannot repeat the last	Select how frequently a user can recycle an old password. For example, if you enter 6, the staff must change their password 6 times before they can reuse a previous password.
Send Password Expiration email to the users on 5th and 10th day before Password Expiration	Select this option if you want users to receive a reminder email ten and five days before their password is set to expire.
Send Password Change Confirmation email to users	Select this option if you want users to receive a confirmation email when they change their password in their User Options. Note: Users will not receive a confirmation email if they are a first time user and are changing their default password, or if their password has expired.
Password policy	Select whether your firm will use the default password policy or a custom policy. Default policy. Passwords must be at least 8 characters and no more than 32 characters, contain an uppercase letter, a lowercase letter, a number, and a special character. Custom policy. Set the password length. Custom passwords must be at least 8 characters. Note: If you change the password policy, users whose password does not meet the new policy will be prompted to change their password the next time they log in.
Security Questions	Select whether your firm will use the default security questions or a custom set of questions. Security questions are used when a user has forgotten their password. Default security questions. Select this option to use the default list of 15 security questions. Custom security questions. Create 3 to 15 custom security questions. Note: If you change the security questions, users will be forced to change their security questions the next time they log in if their current security questions are no longer included in the new set.

Active Directory®.

Component	Description
Active Directory	If your firm is already setup to use this login method, you can change your session timeout and auto-link settings. Firms using CCH Axcess or Federation Services can no longer change to the Active Directory® method.
Enable auto-link of unmapped AD users to staff based on matching system email address	Select this option to automatically link your AD users to CCH Axcess staff based on his/her email address.

Note: We recommend for firms that prefer to use Active Directory authentication select the Federation Services method.

Federation Services

This option is unavailable until you have selected Enable Pilot mode for Federation login and successfully completed a pilot test by the default system administrator A user account created at installation with full rights and ownership of the organizational structure..

Once you select this option, the Federation Services Login setup window displays. Confirm the settings from the pilot test and click Finish.

Important: Wolters Kluwer may need to make changes to your account to ensure continued access to CCH Axcess after you implement Federation Services. Before beginning Federation Services setup, we recommend reviewing the knowledge base article Planning for Changes to CCH Axcess Login Mode, and then contacting Wolters Kluwer so we can make the necessary changes.

Component	Description
*View current Federation login settings	Firm administrators can select to review the firm's current login setting and also regenerate metadata.
Session timeout due to inactivity	Set the period of inactivity before the session times out; either 20 or 30 minutes.
Enable Pilot mode for Federation login	If your firm needs to update the Federation Services settings, you must pilot test the settings prior to applying the changes. Select if you want to test the Federation login method.
*Configure Federation login settings	Click to review or update your current AD FS settings. Note: When AD FS settings other than certificate settings are changed, metadata should be regenerated and trust should be re-established.
*Regenerate metadata	Regenerate the metadata, if necessary.

Explain the components of the window.

*These options are available after Federation login settings are established.

Click OK to save your changes.

Comparison of Login Options

The following table compares the behavior based on your authentication method.

Notes:

Your firm must already be set up to use the Active Directory® login method. Firms using the CCH Axcess or Federation Services method cannot change to the Active Directory® method.
CCH Axcess defaults to using a secure connection to read from Active Directory®. If your server cannot support secured connections, you must modify the CCH Axcess settings to revert to a standard connection.

		CCH Axcess	Active Directory	Federation Services
				Active		Passive
				On Domain	Off Domain	On Domain	Off Domain
Login window	Users receive a login window when launching CCH Axcess.	Yes*	No	No	Yes*	See note below	Yes**
Password complexity	Passwords must be at least 8 characters and no more than 32 characters, contain an uppercase letter, a lowercase letter, a number, and a special character.	Yes	No	No	No	No	No
Password expiration	You must reset your password at a maximum of every 30 to 90 days.	Yes	No	No	No	No	No
Session timeout due to inactivity	You are prompted to log back in at a maximum of 30 inactive minutes.	Yes	No	Yes	Yes	Yes	Yes
24 hour re-authentication	You are prompted to re-authenticate your credentials after 24 hours, regardless of activity.	Yes	No	Automatic	Yes	Automatic	Yes
Bot detection	You must enter CAPTCHA text with each log in.	Yes	No	No	Yes	No	No
2-Step Verification	You are required to enter a code to authenticate your identity on an initial login, and then reauthenticate at set intervals.	Yes	No	No	No	No	No

* Login window is maintained by CCH Axcess.

** Login window is maintained by Microsoft® Windows®.

Note: For Federation Services Passive mode users that are on domain, the display of a login window depends on the firm's Federation Services settings. For this log in method, firms can require users to provide their network credentials to log in.