Password Policy & Two-Factor Authentication (2FA) Configuration
This article explains how administrators can configure Password Policies and Two-Factor Authentication (2FA) in Meritto to enhance applicant account security. These configurations ensure that applicants follow consistent password rules and complete required verification steps during login and password reset.
Overview
Meritto enables administrators to define security standards for applicant authentication. With these settings, you can:
Enable two-factor authentication for additional login security
Enforce password complexity requirements
Maintain consistent password rules across all forms and login points
Ensure secure and structured flows for password change and reset
All password policy configurations are applied globally across the applicant ecosystem.
Pre-Requisite Permission
To configure these settings, the admin user must have the following permission:
Permission Name: Allow user to view and edit Form and Application settings
Two-Factor Authentication (2FA)
Two-Factor Authentication adds an extra verification step during applicant login and password reset to prevent unauthorized access.
Available Modes
2FA via Email – Sends a one-time password (OTP) to the applicant’s registered email address
2FA via Mobile Number – Sends a one-time password (OTP) to the applicant’s registered mobile number
You may enable either option or both, depending on your institution’s security requirements.
What Happens When 2FA Is Enabled
Once enabled:
Applicants logging in with a password must verify the OTP before accessing their account.
Applicants using the Forgot Password option must complete OTP verification before setting a new password.
OTP verification becomes mandatory wherever password-based login is used.
How to Configure 2FA
Navigate to Applicant Login Settings.
Enable Two-Factor Authentication.
Choose one of the options:
2FA via Email
2FA via Mobile Number
Save the configuration to apply the changes.
Password Policy Levels
Policy Level | Rules | Use Case |
Low (Default) | Minimum 8 characters | Basic protection; applied as a default setting |
Medium | Minimum 12 characters + Mixed case | Suitable for institutions requiring stronger protection. |
High | Minimum 12 characters + Mixed case + Special character + Number | Highest preset security level for institutions with strict compliance needs. |
Custom | Configurable minimum length (8–32), optional mixed case, special character, number, and “restrict last 3 passwords” | Allows institutions to define their own password rules. |
Forgot Password / Change Password Behavior
Whenever an applicant attempts to change or reset their password, the selected password policy is enforced. Applicants can only set a password that meets the configured policy rules.
Setting Password at Lead Level
When a password is configured using the Password Field, the system applies the newly defined password policy automatically, ensuring consistent enforcement across all applicant touchpoints.
Summary
By using Password Policies and Two-Factor Authentication, institutions can:
Enforce consistent password complexity standards
Add an extra layer of verification for sensitive actions
Ensure secure and guided login and password reset flows
Track configuration changes through audit logs
Together, these features help institutions maintain high security standards while offering applicants a safe and reliable authentication experience.
Related Articles
Configuring Two-Factor Authentication (2FA) / Multi-Factor Authentication (MFA)
Overview Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is a security feature that requires two distinct authentication methods to verify a user’s identity. It provides an additional layer of security beyond passwords, ...Meritto Data & Logs Retention Policy
Overview Meritto Data & Logs Retention Policy establishes guidelines for managing data retention, storage, and disposal. Compliance Assurance: Ensures adherence to legal and regulatory requirements. Data Protection: Safeguards sensitive information ...SmartPing Configuration - HardPhone
Objective This document outlines the process of integrating the SmartPing telephony system with Meritto’s CRM platform. The integration ensures seamless outbound and inbound communication by enabling click-to-call capabilities, real-time call ...WhatsApp Business Account Policy & Compliances for Spam Reports
Overview If your WhatsApp Business Account has been flagged for sending spam, it indicates non-compliance with WhatsApp’s Business Terms of Service. Repeated violations may result in account restrictions or permanent suspension. To avoid disruptions, ...Steps to Configure Email Sender Id
Overview Sender ID plays a massive role in defining the institutional identity of the targeted audience. An Email Sender ID is used to identify who the sender of the Email is. It represents your brand/Institute/company name, distinguishing it from a ...