Company login settings

Control who can log in, how they log in, and the duration of their session.

To change your company security features and settings, go to Company > Setup > Configuration > Company > Security tab, then select Edit.

Timeout settings

You can control two different timeout settings:

  • Default inactivity duration: On a company-wide level, the admin determines how long all users can remain inactive before they are automatically logged out. Users receive an alert when one minute of the inactivity duration remains.
  • Default session duration: On a company-wide level, the admin determines how long all users can be logged in for any session before they are automatically logged out, regardless of their activity. Users receive an alert when one minute of the session duration remains.
Each user can extend their inactivity and session durations beyond the default value set by the admin. However, the admin can set the Maximum field for each setting to determine the extent to which users can extend their session duration settings. In addition to the timeout alerts described above, some browsers enable you to set desktop notifications.

To set a timeout:

  1. Set the Default inactivity duration using the hours and minutes dropdowns.
  2. Optionally, set the Maximum inactivity duration allowed for all users in your company.
  3. Set the Default session duration using the hours and minutes dropdowns.
  4. Optionally, set the Maximum session duration allowed for all users in your company.
  5. Save your changes.

About timeout alerts

Users who are coming to the conclusion of their session or inactivity durations receive notification alerts in time to save their work and easily log back in if needed:

  • Inactivity timeout alert: Your users receive an alert one minute before the inactivity duration is reached. Users can select Stay logged in, or Log out, or they can do nothing, depending on where they are in completing their work.
    • Stay logged in: Your session remains open and users can continue to work in their company.
    • Log out: The session ends and the login page appears.
    • Do nothing: The session ends when the inactivity duration is reached.
  • Session timeout alert: Your users receive an alert to save their work when the session duration has one minute remaining. When the duration end occurs, users are logged out.
  • Desktop notifications: Switching to another tab or application could hide timeout notifications. Most browsers enable desktop notifications if you grant permission to do so. Those notifications then appear on your desktop.

  • If your browser provides notification options, set the permission from your user preferences page in your company, or you can set the permission directly in your browser settings page.

    To enable desktop notifications from your user preferences page:

    1. Select the dropdown from your username at the top of your company page.
    2. Select My preferences. Your preferences page appears.
    3. If your browser provides the notifications option, you'll see a link under the Timeout settings. Select Enable browser notifications.... A pop-up appears on your browser page.
    4. After you grant permission, the link to enable desktop notifications is replaced by the text: Notification alerts will appear whenever your session is about to time out.

    Managing your desktop notifications

    The process of managing permissions can vary from browser to browser. This example is for managing notification permissions in Chrome.

    To manage notifications in a Chrome browser:

    1. Select the three vertical dots in the upper right and select Settings.
    2. Select the Privacy and security tab.
    3. Select Site settings.
    4. In the Permissions section, select Notifications.
    5. Scroll to the Customized behaviors section.
    6. In the Allowed to send notifications option, select Add.
    7. In the Site field, enter intacct.com.
    8. Select Add.

Password settings

You can customize aspects of the Sage Intacct password policy to suit the needs of your business. See Password policy and requirements for more information about the Sage Intacct password policy. Customizable password policy components include:

Password field descriptions
Field Description

Reset password

 Defines how long a password lasts before you must change it. Your options span from as sparingly as yearly to as often as weekly.
An admin can override this option for specific users in their user information, but it should only be overridden for users with integrations or API applications that rely on an Intacct user ID and password for connectivity.

Minimum length

 Defines how long an accepted password must be. The minimum requirement is eight characters.

Prevent reuse of passwords

 Select the number of recent passwords that a user cannot reuse when they reset their password. The minimum requirement is that users cannot reuse the last three passwords.

To set your password settings:

  1. In Reset password, select a value from the dropdown to set the frequency at which users must change their Sage Intacct passwords.

    You can require users to change their passwords every week, once a year, or somewhere in-between. Your choice depends on your work environment, number of employees, employee rotation, organizational policy, and so on. You can easily change this frequency at any time.

    If you have an integration or API application that relies on an Intacct user ID and password for connectivity, go to the Users list (Company > Admin> Users) and edit the user associated with the integration.

    For that user only, select the option to Keep my password until I reset it on the User information tab to avoid any connectivity problems. See Field descriptions: User information and Password policy and requirements for more information.

  2. For Minimum length, select the minimum number of characters required to create a password. The minimum requirement is eight characters.
    Password requirements: Each password must:
    • Contain at least eight characters long AND
    • Contain at least one number, one lowercase letter, one uppercase letter, and one special character.

    For instance, 1$g*1LHd would be accepted as a strong password. See Password policy and requirements for more information.

  3. In Prevent reuse of previous passwords, select the number of recent passwords that cannot be reused when resetting a password.
    You can prevent the reuse of the last 3-20 passwords created by a user.
  4. Save your changes.

Login attempts

You also control what happens to users during failed login attempts and password reset attempts.

To set your login and reset attempt settings:

  1. In Maximum login attempts per day, choose the maximum number of login attempts allowed in a 24-hour period before the user is locked out. A successful login resets the failed attempt counter. This setting applies to all users.
    After Intacct locks out a user, only an administrator can unlock a user.
  2. For Maximum reset attempts per day, select the maximum number of reset attempts that can be tried by a user in a 24-hour period. You can set the number of reset attempts to between 1-10 attempts.
    When the number of attempts is exceeded for the period, only the administrator can reset the password until the period is over. Then, the user can try again.
  3. Set the Maximum number of verification attempts for a password reset.
    This is the maximum number of times the incorrect information can be entered in a password reset attempt. When the limit is reached, Intacct locks the account for 24 hours.
  4. Save your changes.

Enforce IP address filters

For extra security, you can enforce IP address filters. Enforcing address filters means only locations with known IP addresses (such as those coming from your corporate office) can be used to log in to your Intacct company. When you enforce IP address filters, any login that does not come from the list of allowed IP addresses is denied, preventing login attempts from unknown locations.

Your options are:

Option Details
None Users can log in from anywhere.
Enforce at company level All users can only log in from specified range of IP addresses for your company.
Enforce at company level and override at user level Users can log in either from the company ranged of specified IP addresses or from any of the IP addresses specified in their user IP address filters.
Enforce at user level Users can only log in from any of their individual, specified IP addresses.
If IP address filtering is turned on and a user is unable to log in to Sage Intacct, select the pencil icon to the right of the dropdown menu. Make sure that the user's IP address appears in the list of allowed IP addresses.

To add approved IP addresses:

  1. Select the pencil icon in the Enforce IP address filters section.
  2. In the IP Address Filter Information pop-up, select Add.
  3. Add an IP address or IP address range. To enter a single address (rather than a range), simply enter the same IP address in the Start IP address and End IP address fields.
    • For company-level: Only enter the IP address or address range. Do not select a Username.
    • For user-level: Select the Username, and enter the IP address or address range.
      You can add more than one IP address filter per user. For example, if your CFO logs in from two different locations, add two records to your IP address list. Add one record for each IP address, and select the CFO's Username for both records.
  4. Save your changes.
    If you enable IP filtering without creating the appropriate filters, a user can access your Sage Intacct company regardless of their IP address. For example, if you choose Enforce at company level, but you do not create a filter for the company range, then Intacct does not enforce IP address filtering. The IP address filtering is not enforced because it does not have an IP address range to check. The effect is the same as if you set IP address filtering to None.

Enable two-step verification

Add an extra layer of security to your account with two-step verification.

When a user logs in, they'll need to enter a verification code they receive via an authenticator app, text, or phone call. This code is entered in addition to the user ID and password.

If a user routinely logs in from a computer that only they use, they can identify it as a trusted device and skip this extra step in the future. For more information, go to Set up two-step verification.

You can set up both SSO and 2-step verification for your company for extra security. If your company is already enabled for SSO, users who access Intacct via their SSO identity provider will bypass 2-step verification. However, if a user is not configured for SSO and is logging in directly to Intacct, they will be forced to use 2-step verification.

Enabling both features gives you an extra layer of protection for your account. For example, if your SSO system was temporarily unavailable, your Intacct admin might need to log in to Intacct, and to prove their identity, would go through 2-step verification.

To enable two-step verification:

  1. Select the Enable 2-step verification checkbox.
  2. Require verification codes for Selected users or All users.
    Verification options
    FieldDescription

    Selected users

    Select if you want to require verification for only selected users.

    To enable 2-step verification for selected users, go to Company and select Users. Then, select Edit and enable 2-step verification for each user.

    All users

    Select if all users must enter a verification code.

  3. (Optional) Select the Do not allow trusted devices checkbox to disallow users from identifying trusted devices. Trusted devices include laptops or mobile phones that can save login information and can log in automatically without having to enter a username, password, or verification code.

    When Do not allow trusted devices is checked, the user is always required to enter a verification code when they log in. The verification code could be sent by text, authenticator, or phone call.

    If a user previously received a verification code by text or phone call, they will be prompted to set up the app as their primary method of receiving the code.

  4. Save your changes. Users will receive an email notification that 2-step verification has been enabled for their company.

Field descriptions

Timeout field descriptions
Field Description

Default inactivity duration

The first 2 pick lists set the standard hours and minutes a user session can remain inactive before Intacct automatically logs out the user. Because this setting can be adjusted in the user configuration, the third column limits the maximum number of hours a user can set for their session time-out. Users receive an alert when one minute of the inactivity duration remains.

Default session duration

Unlike inactivity duration, which affects an inactive session, login timeout is a fixed limit regardless of the users' activity. The first 2 pick lists set the standard hours and minutes a user can remain logged in before Intacct automatically logs out the user. Because this setting can be adjusted in the user configuration, the third column limits the maximum number of hours a user can set for their timeout. Users receive an alert to save their work one minute before the session duration ends.
Password field descriptions
Field Description

Reset password

The time period after which a user must reset their password. You can override this option on the user configuration page for users with integrations, or API applications that rely on an Intacct user ID and password for connectivity.

Minimum password length

Set the minimum password length to be between 8-12 characters. The default is 8 characters.

Prevent reuse of previous passwords

Choose between 3-20 for the number of recent passwords that cannot be reused when resetting a password.

Login attempts field descriptions
Field Description

Maximum login attempts per day

The number of failed login attempts a user can make in a 24 hour period before Intacct locks them out. Choose between 1-20 login attempts before being locked out. The recorded number of attempts resets after a successful login. After Intacct locks out a user, only an administrator can reset user status from Locked out to Active. This setting applies to all users.

Maximum reset attempts per day

The number of attempts that can be tried by a user in a 24-hour period. You can set the number of reset attempts to between 1-10 attempts.

Maximum number of verification attempts for a password reset

This is the maximum number of times the incorrect information can be entered in a password reset attempt. When the limit is reached, Intacct locks the account for 24 hours.
Enforce IP address filters field descriptions
Field Description

Enforce IP address filters

When you enforce IP address filters, any login that does not come from the list of allowed IP addresses is denied. Denying these logins adds an extra level of security by preventing login attempts from unknown locations. You can specify ranges of known IP addresses for your company, allowed IP addresses for each user, or a combination of both.

You can enforce IP address access in these ways:

  • None: Users can log in from anywhere.
  • Enforce at company level: All users in the company are restricted to logging in from the range or ranges of IP addresses that you specify.
  • Enforce at company level and override at user level: Users can log in either from the company range of IP addresses or from one or more IP addresses specified in their IP address filters. For example, you can specify that everyone log in from the office. You can then allow your CFO be able to log in either from the office or from home. In this case, the CFO needs 2 filters: 1 for the office and 1 for home.
  • Enforce at user level: Each user must have an IP address filter with a specific address. Users who do not have an explicit IP address filter cannot log in. Individual IP filters are required for login, even within the office range.
When Enforce IP address filters is enabled, and a user cannot log in, verify that their IP address is listed in the allowed addresses. Select the pencil icon next to the dropdown menu and verify their IP address.
  1. Select the Enforce IP address filters dropdown menu and then select the type of IP filtering you want. If you do not want to use IP address filtering, select None.
  2. If you do not select None, select the pencil icon to the right of the dropdown menu to specify the set of approved IP addresses.

Select the pencil icon and then add records for every IP address or IP address range to which you want to allow access. To enter a single address (rather than a range), simply enter the same IP address in the Start IP address and End IP address fields.

  • If the address or address range is company-wide (not associated with a particular user), select Add and enter the IP address or address range. Do not select a user.
  • If the address or address range is for a particular user, select Add, select the username, and enter the IP address or address range. You can add more than one IP address filter per user. For example, if your CFO logs in from 2 different locations, add a record for each IP address, using the CFO's username for both records.
If you enable IP filtering without creating the appropriate filters, Intacct grants access regardless of the user IP address. For example, when using Enforce at company level, if you do not create a filter for the company range, Intacct does not enforce IP address filtering. It is not enforced because it does not have an IP address range to check. The effect is the same as if you set IP address filtering to None.
Enable two-step verification field descriptions
Field Description

Enable verification at login

Add a layer of security to your account. When a user logs in, they need enter a verification code they receive via an authenticator app, text, or phone call. This code is entered in addition to the user ID and password. If a user routinely logs in from a computer only they use, they can identify it as a trusted device and skip this extra step.

For more information, see Setup 2-step verification.

You can set up both SSO and 2-step verification for your company for extra security. If your company is already enabled for SSO, users who access Intacct via their SSO identity provider will bypass 2-step verification. However, if a user is not configured for SSO and is logging in directly to Intacct, they will be forced to use 2-step verification.

Enabling both features gives you an extra layer of protection for your account. For example, if your SSO system was temporarily unavailable, your Intacct admin might need to log in to Intacct, and to prove their identity, would go through 2-step verification.

Selected users

Select individual users who must enter a verification code at login. To enable selected users, go to Company > Admin > Users. Then select Edit, and enable 2-step verification for each user.

All users

Select to require all users enter a verification code at login.

Do not allow trusted devices

After selecting Enable 2-step verification, you can select Do not allow trusted devices for higher security. Every time a user logs in, they'll need to enter a verification code they receive via an authenticator app. This code is entered in addition to the user ID and password.