Account Security Policies
1. Password Expiration Policy

Password Expiry: All account passwords must be changed every 90 days to maintain high levels of security and prevent unauthorized access.
Notification Schedule:

Customers will receive notifications at 7 days, 3 days, and 1 day before the expiration date to remind them to update their password.
After password expiration, the account will automatically lock, and customers will be required to reset their password to regain access.


Grace Period:

In some cases, a 3-day grace period may be provided after the expiration, during which customers can still update their password without a full lockout.
After the grace period, account access will be fully suspended until the password is reset.



2. Password Requirements
To ensure account security, passwords must meet the following criteria:

Length: Must be at least 12 characters long.
Complexity: Passwords must contain at least:

One uppercase letter (A-Z)
One lowercase letter (a-z)
One numeric character (0-9)
One special character (e.g., !, $, @, #)


Password History:

Customers cannot reuse any of their previous 5 passwords.
The system will enforce this rule by keeping track of password changes to ensure that a password from the history cannot be used again.


Expiration and Change Enforcement:

If a password is not updated within the required time frame (90 days), customers will be forced to reset it upon the next login attempt.


Invalid Attempts:

After 5 consecutive failed login attempts, the account will be temporarily locked for 15 minutes as a security precaution.
Customers will be notified of suspicious login attempts to their email for further action.



3. Account Lockout Policy

Lockout on Expiry:

If the password expiration date is passed without a password change, the account will be automatically locked.
During the lockout, customers will not be able to access their account or any associated services until a password reset is completed.


Unlock Process:

The customer must initiate a password reset process using the "Forgot Password" option on the login page.
Once the password reset is successfully completed, the account lockout will be lifted, and the customer will regain full access to their account.


Account Suspicious Activity:

If unusual activity is detected (such as multiple failed login attempts), the account will be temporarily suspended for security reasons, and the customer will receive an email to verify their identity before reactivation.



4. Two-Factor Authentication (2FA)

Requirement:

Customers are encouraged to enable two-factor authentication (2FA) for an extra layer of security.
2FA requires a second verification step during login, such as a code sent to the customer’s mobile device.


Methods:

The 2FA can be set up using the following methods:

SMS-based authentication (one-time code sent via text message)
Authenticator apps (e.g., Google Authenticator, Authy)
Email verification (secondary code sent via registered email address)




2FA for Sensitive Operations:

Customers may be required to re-authenticate using 2FA for sensitive operations such as password changes, accessing billing information, or updating security settings.



5. Password Recovery Process

Forgotten Password:

Customers can reset their password anytime using the "Forgot Password" link on the login page.
They will be asked to enter their email address, after which a password reset link will be sent to their registered email.


Verification Steps:

To enhance security during password recovery, customers may be asked to answer a security question or input a verification code sent to their mobile device or email.
Once the password reset is completed, the customer will receive a confirmation email to notify them of the successful update.



6. Security Alerts and Breach Detection

Suspicious Login Activity:

Customers will receive an alert via email if the system detects multiple failed login attempts or logins from unfamiliar devices or locations.
They will be prompted to change their password immediately if unauthorized access is suspected.


Security Breach Notification:

In the case of a security breach or potential data compromise, affected customers will be notified immediately.
They will be required to reset their passwords and review their account activity for suspicious actions.



7. Contact Information for Support
If customers experience issues related to password management, account security, or account lockout, they can contact the support team through the following channels:

Email: security-support@globalfintech.com
Phone: +1-800-732-8736
Live Chat: Available through our customer portal for real-time assistance.

For urgent matters related to account security, customers are encouraged to use the live chat feature for immediate help.
8. Best Practices for Password Security

Password Management Tools: 

Customers are encouraged to use password management tools such as LastPass or 1Password to generate and store secure passwords.


Avoiding Phishing:

Customers should never share their passwords or personal information via email or SMS. Always verify the legitimacy of any security-related requests before responding.


Regular Security Checkups:

It is recommended that customers review their account activity regularly and update security settings (such as 2FA) as part of their regular account management routine.



By following these security policies, we ensure a safer and more secure experience for all our customers.