Two-Step Verification

Two-step verification uses an auto-generated Time-Based One-Time Password Algorithm (TOTP) security token to add an extra layer of protection on top of your username and password. You can access two-step verification codes with your Contrast-associated email address, or by using the Google Authenticator mobile application that's available on the following devices:

Administrator Set Up

Two-step verification is controlled at three levels: System, Organization and User.

The System Administrator can enable or disable the feature using a radio button by going to System Settings > Security > Two-Step Verification. If two-step verification is on, the Organization Administrator may choose whether or not to require the feature for users. If you'd like to allow an Organization Admin to override this choice, check the box to Allow organization override.

Organization Administrators can go to Organization Settings > Security > Two-Step Verification section, and use the radio button to require users to set up two-step verification. If users are required to set up the feature, a lock icon indicates that users can't make changes. If users aren't required to set up the feature, the user can toggle the feature on or off.

Check the box for Google Authenticator or Email to set your notification method.

Note: If a user belongs to multiple organizations, their default organization determines their two-step verification settings.

User Onboarding

Required setup

If two-step verification is enabled and required, the user is onboarded the next time they login.

The user receives a message explaining that their administrator requires the feature. The user can click the link to Learn More about two-step verification, why it's needed and how it works. The user can also go directly to the setup process by clicking the button to Get Started.

Optional setup

If two-step verification is enabled but not required, the user is prompted to begin onboarding the next time that they login; however, they can choose to opt out of the process by clicking the No Thanks link. The user won't receive this prompt at future logins.

To learn more about user setup process, go to the Login and Password article.

IP Restrictions

Restrict which IP addresses can access your Contrast account by going to the User Menu > Organization Settings > Security tab > IP Restrictions section.

In the IP Address/Subnet Mask field, add a single IP address or a range of IP addresses by using Classless Inter Domain Routing (CIDR) notation. Your selections affect both browser and API access. To add another set of IP addresses click the link to Add IP Address. Once you're finished, click the button to Save your choices.

Audit Log

Contrast captures activity about all user sessions, including changes to settings or licenses and actions on vulnerablities. To see the log of the activity in your organization, go to the User Menu > Organization Settings > Security tab, and click the link at the top of the page to View Audit Log.

The grid shows the date of each activity and a message including the user's name and the action they took. Use the search and date control fields to find specific events within the log.

Once you've found the information you need, use the x icon at the top of the page to exit the log and return to the main Security page.

Password Policy

To regulate passwords within your organization, go to the instructions for setting up a Password Policy. You must be a SuperAdmin to configure the default policy in System Settings or an Organization Admin to manage the policy in Organization Settings.