Skip to main content

Security Protocols for the Community Member Experience

Author: SallyPage McKinney Updated

Below are all of the security protocols Fuel Cycle has in place for the Community Member experience. If an item is a setting, defaults are listed along with the options that the setting can be updated to.

  • AWS WAF

  • Data encryption in transit (SSL certificate, TLS 1.2)

  • Enable SAML SSO (disabled by default)

  • Whitelist or blacklist IP addresses (empty by default)

  • Whitelist or blacklist email domains for user registration (empty by default)

  • Autocomplete for login credentials (enabled by default, can be disabled)

  • Login credentials validation—alerts member if their email is associated with a member of the community (enabled by default, can be disabled)

  • Log in with Username or Email address (enabled by default, Username can be disabled)

  • Passwordless login—emails user login token (disabled by default, can be enabled)

  • Antivirus scanning on all file uploads (enabled by default, can be disabled)

  • Email address scoring to clean email lists for recruitment (enabled by default, can be disabled but not recommended)

  • Email address scoring to prevent signup (enabled by default, can be disabled)

  • Email address scoring for reward redemption—members with poor scores are required to verify mobile phone number to redeem a reward (disabled by default, can be enabled)

  • Age verification via Veratad (disabled by default, can be enabled for additional cost)

  • Session timeout is 60 minutes by default (can change to any time in minutes)

  • Password security requirement is defaulted to high (can change to other options). More details here.

  • Prevent users from reusing a password that has been used the previous number of times (never by default, options are never, 1, 2, 3, 5, or 10 times)

  • Lock out users after a certain number of failed logins (5 times by default, options are never, 1, 2, 3, 5, or 10 times)

  • Set lockout period after failed login attempts maximum is reached (30 minuets by default, options are 30 minutes, 1 hour, 4 hours, 6 hours, 12 hours, or 24 hours)

  • Email campaign auto login links—allows members to log in with a hyperlink sent in a community campaign email (enabled by default, can be disabled) 

  • Limit the number of autologin clicks allowed from email campaigns (1 click by default, options are 1-5 clicks)

  • Mobile verification for reward redemption (disabled by default, options are never, always, or only for suspicious users, as defined by email scoring)

  • Flag any data point as PII to prevent sharing data with third party tools (Fuel Cycle does not send PII to third party tools by default, can be enabled). More details here.

Was this article helpful?