Skip to main content

Security

Enhance your account security by updating your password, adding trusted IP addresses to restrict access, and reviewing active sessions for any unusual activity. Enable two-factor authentication to add an extra layer of protection and secure your account from unauthorized access. These security features help protect your account and the sensitive data within Mumara.

Access Security settings by clicking your avatar in the top-right corner and selecting Security, or navigate through My Profile → Security in the User Menu.

Password

Regularly updating your password is crucial to prevent unauthorized access to your account.

Change Password Button

Click the Change Password button to open the password change modal.

Password Modal

FieldDescription
Current PasswordEnter your existing password to verify your identity - this ensures only the actual account owner can change the password
New PasswordEnter your new password - must include at least 8 characters; use a mix of uppercase, lowercase, numbers, and symbols for best security
Confirmed PasswordRe-enter your new password to confirm it matches - prevents typos from locking you out

The New Password field includes an eye icon to toggle password visibility, helping you verify what you're typing.

Changing Your Password

  1. Click Change Password button
  2. Enter your Current Password
  3. Enter your New Password (at least 8 characters)
  4. Re-enter the password in Confirmed Password
  5. Click Change Password to save

The modal also includes a Forgot Password? link if you need to reset your password via email verification.

Strong Password Tips
  • Use at least 12 characters for better security
  • Include uppercase and lowercase letters
  • Add numbers and special characters
  • Avoid common words or personal information
  • Don't reuse passwords from other sites

Allowed IP Addresses

Restrict access by adding a range of trusted IP addresses. If no IP address is added, the account will be accessible from any IP address. This feature provides an additional security layer by ensuring only connections from approved locations can access your account.

How IP Restrictions Work

  • No IPs configured - Account accessible from anywhere (default)
  • IPs configured - Account only accessible from listed IP addresses
  • Blocked access - Attempts from non-listed IPs are denied at login
Important

Ensure that the IP address you provide is a static IP address. Since dynamic IP addresses change, you might get locked out of your account if your IP changes and isn't on the allowed list.

IP Address List

The Security page displays your allowed IP addresses with the following information for each entry:

ElementDescription
IP AddressThe IP address, range, or subnet that is allowed
LocationGeographic location determined from the IP via GeoIP lookup
Date AddedWhen this IP was added to the allowed list
Remove buttonClick to delete this IP from the allowed list

The main view shows up to 4 IP addresses. If you have more, click View More to see the complete list.

Add IP Address Button

Click Add IP Address to open the IP configuration modal.

IP Address Options

The modal provides four ways to add allowed IP addresses:

OptionDescription
Add your current IP addressAutomatically detects and adds your current IP address (shown in parentheses, e.g., "192.168.25.188") - the quickest way to allow your current location
Add a static IP addressManually enter a specific IP address - use this for known static IPs from your office or home
Add a subnetAdd a range of IP addresses using subnet notation (e.g., 192.168.1.0/24) - useful for allowing an entire office network
Add an IP rangeSpecify a start and end IP address to allow a contiguous range - flexible option for custom ranges

Adding Your Current IP

  1. Click Add IP Address
  2. Select Add your current IP address (your IP is shown)
  3. Click Next
  4. Confirm the addition
  5. Your current IP is now whitelisted

Adding a Static IP

  1. Click Add IP Address
  2. Select Add a static IP address
  3. Click Next
  4. Enter the IP address
  5. Confirm the addition

Adding a Subnet

  1. Click Add IP Address
  2. Select Add a subnet
  3. Click Next
  4. Enter the subnet in CIDR notation (e.g., 192.168.1.0/24)
  5. Confirm the addition

Adding an IP Range

  1. Click Add IP Address
  2. Select Add an IP range
  3. Click Next
  4. Enter the starting IP address
  5. Enter the ending IP address
  6. Confirm the addition

Active Sessions

View and manage all of your active sessions. This section shows everywhere your account is currently logged in, helping you identify unauthorized access and terminate suspicious sessions.

Session Preview

The Security page shows a preview of your recent sessions with a View more link to see the complete list.

Session Information

Each session displays:

ElementDescription
Device iconVisual indicator of the operating system (Windows, Mac, Linux, mobile, etc.)
Operating SystemThe OS name (e.g., "windows", "macOS", "Linux")
Time indicatorHow long ago this session was last active (e.g., "2 days ago", "6 months ago")
Location pinGeographic indicator for the session
IP AddressThe IP address from which this session connected
Platform iconOperating system icon (e.g., Windows logo)
Browser iconThe browser used for this session (e.g., Chrome, Firefox, Safari)
Location textGeographic location derived from the IP address (may show "Unknown, Unknown, Unknown" for private IPs)
Current SessionGreen label indicating this is your currently active session
TerminateRed link to end a specific session (appears on sessions other than current)

Active Sessions Modal

Click View more to open the full Active Sessions modal showing all sessions:

  • Complete list of all active sessions
  • Same information as the preview but with all sessions visible
  • Ability to terminate any session except the current one

Terminating a Session

If you see an unfamiliar session or want to log out from another device:

  1. Click View more to see all sessions
  2. Locate the session you want to end
  3. Click Terminate (shown in red)
  4. The session is immediately ended
  5. That device will need to log in again
Current Session Protection

You cannot terminate your current session from this interface. To end your current session, use the Logout option from the avatar menu.

Identifying Suspicious Sessions

Watch for:

  • Unfamiliar IP addresses - IPs you don't recognize
  • Unexpected locations - Logins from places you haven't been
  • Multiple concurrent sessions - More active sessions than expected
  • Old sessions - Sessions from months ago may indicate compromised credentials

Two-Factor Authentication

Every time you sign in, you'll need both your password and a time-based authentication token. Two-factor authentication (2FA) significantly increases account security by requiring something you know (password) and something you have (your phone with the authenticator app).

2FA Overview Card

The Security page displays a promotional card explaining 2FA benefits:

  • "Protect your account with a two-step authentication"
  • "Enable multi-factor authentication and secure your Mumara account"
  • Enable/Disable toggle to turn 2FA on or off

Enabling Two-Factor Authentication

Step 1: Get Started

  1. Toggle the Enable/Disable switch to enable 2FA
  2. A modal appears explaining: "Two-factor authentication adds an extra layer of protection to your account. Once enabled, each time you sign in, you'll need to authenticate using a time-based token after successfully signing in with your credentials."
  3. Click Get Started to proceed

Step 2: Configure Authenticator App

The next screen shows:

Time-Based One-Time Password

"This authentication option uses a time-based algorithm for the second factor. Your mobile device can generate these codes. If you don't already have an app, we recommend Google Authenticator, available for iOS, Android, and Windows mobile devices."

Setup Instructions:

  1. Select to add a new time-based token in your authenticator app
  2. Scan the QR code displayed, OR manually enter the Secret Key shown
ElementDescription
QR CodeScan this with your authenticator app to automatically configure the token
Secret KeyManual entry code if you can't scan the QR code - "Spaces don't matter" when entering

Step 3: Verify and Confirm

  1. Open your authenticator app (Google Authenticator, Authy, Microsoft Authenticator, etc.)
  2. Add a new account by scanning the QR code or entering the Secret Key
  3. The app will display a 6-digit code that changes every 30 seconds
  4. Enter the current 6-digit code in the verification field
  5. Click Confirm to complete setup

Step 4: Save Your Backup Code

After successfully enabling 2FA, the system displays a backup code:

ElementDescription
Backup CodeA 16-character one-time recovery code displayed after 2FA is enabled - this code can be used to access your account if you lose access to your authenticator app
Copy buttonClick to copy the backup code to your clipboard for secure storage
Save Your Backup Code

Store this backup code in a secure location immediately. It will only be shown once and cannot be retrieved later. If you lose access to your authenticator app and don't have this code, you'll need administrator assistance to regain account access.

Using 2FA at Login

Once enabled:

  1. Enter your email and password as usual
  2. A second screen prompts for your authentication code
  3. Open your authenticator app
  4. Enter the current 6-digit code
  5. Access is granted if the code is valid

Disabling Two-Factor Authentication

  1. Navigate to Security settings
  2. Toggle the Enable/Disable switch to off
  3. Enter your current password to confirm the action
  4. Click Disable to turn off 2FA
  5. 2FA is disabled and you'll only need your password to log in
Security Recommendation

Keep 2FA enabled for maximum account security. Only disable it temporarily if you've lost access to your authenticator app, and re-enable it immediately after setting up a new device.

Best Practices

Password Security

  • Change passwords regularly - Update every 90 days for sensitive accounts
  • Use unique passwords - Don't reuse passwords across different services
  • Use a password manager - Helps generate and store strong, unique passwords

IP Restrictions

  • Use for high-security accounts - Especially for administrator accounts
  • Include backup IPs - Add multiple trusted locations to avoid lockouts
  • Document allowed IPs - Keep records of which IPs are whitelisted and why
  • Use static IPs only - Avoid dynamic IPs that change

Session Management

  • Review sessions regularly - Check monthly for unauthorized access
  • Terminate old sessions - Remove sessions from devices you no longer use
  • Act on suspicious sessions - Terminate unknown sessions and change your password immediately

Two-Factor Authentication

  • Enable on all accounts - Especially administrator and privileged accounts
  • Save your backup code immediately - Store the 16-character backup code in a secure location when you first enable 2FA
  • Use a reliable authenticator app - Google Authenticator, Authy, or Microsoft Authenticator
  • Have recovery options - Know how to recover access if you lose your phone
  • Don't share your secret key - Keep your QR code and secret key private

Troubleshooting

Locked Out by IP Restriction

Possible causes:

  • Your IP address changed (common with dynamic IPs)
  • You're accessing from a new location
  • VPN changed your IP

Solutions:

  • Contact an administrator to remove the IP restriction
  • Access from a previously whitelisted IP address
  • Use another admin account to update the allowed IPs

2FA Code Not Working

Possible causes:

  • Time on your phone is incorrect
  • Wrong account selected in authenticator app
  • Code expired (codes change every 30 seconds)

Solutions:

  • Ensure your phone's time is set to automatic/network time
  • Verify you're using the correct account in your authenticator app
  • Wait for a new code and enter it quickly
  • Contact an administrator if you can't access your account

Can't Access Authenticator App

Possible causes:

  • Lost phone
  • App deleted
  • New phone without backup

Solutions:

  • Use your backup code that was displayed when you first enabled 2FA - enter it in place of the 6-digit code at login
  • Contact an administrator to disable 2FA on your account
  • Once access is restored, set up 2FA again with your new device and save the new backup code securely

Unknown Active Sessions

Possible causes:

  • Shared computer access
  • Compromised credentials
  • Forgotten login from another device

Solutions:

  • Terminate all unknown sessions immediately
  • Change your password
  • Enable 2FA if not already enabled
  • Review Authentication Logs for login history

Next Steps

Last updated on