# Extension Login Security

Endpoint security is the third line of defense in a multi-layered security strategy: it guards individual extension accounts against fraudsters who try to register or sign in without permission. Cloud Voice ships with lockout rules that watch login attempts on SIP (Session Initiation Protocol) extensions out of the box, and you can strengthen protection further with single sign-on (SSO), two-factor authentication (2FA), login QR codes and links, password policies, and user roles. The sections below walk through each option.

## Lock out accounts after failed login attempts

Cloud Voice enforces an account lockout policy on both the PBX (Private Branch Exchange) web portal and the Cloud Voice App:

- When an IP address hits the configured number of failed attempts inside a set time window, the system temporarily refuses further attempts from that address.
- When an IP address reaches the maximum number of failed attempts, it is banned permanently. Cloud Voice blocks the address, lists it under **Blocked IPs**, and sends a **Web User Blocked Out** or **Cloud Voice App User Blocked Out** notification to the contacts you designate.

:::caution
A block applies to the whole IP address, not to a single account. If several people share one public IP (for example, an entire office behind one internet connection), one person's repeated failed logins can lock everyone at that address out of the portal and the Cloud Voice App. Check **Security > Security Rules > Blocked IPs** before assuming a login problem is a password fault.
:::

So that someone is alerted whenever an address is blocked, turn on the relevant event notifications and add recipients.

1. Go to **System > Event Notification**.
2. On the **Event Type** tab, enable the **Web User Blocked Out** and **Cloud Voice App User Blocked Out** notifications.

   
   ![Cloud Voice, event type list with the blocked-out login notifications switched on](/images/pbx/web-user-blocked-out.png)

3. On the **Notification Contacts** tab, add the people who should receive these alerts.

   ![Notification contacts panel with recipients added for security events](/images/pbx/add-notification-contacts.png)

Once an alert arrives, review the specifics in the web portal under **Security > Security Rules > Blocked IPs**.

![List of blocked IP addresses with the reason and timestamp for each block](/images/pbx/blocked-ips-pce.png)

## Use single sign-on for third-party authentication

Connecting Cloud Voice to **Microsoft 365**, **Google Workspace**, or **Red Hat SSO** lets users sign in to the Cloud Voice App with their existing Microsoft, Google, or Red Hat credentials. This removes the burden of managing yet another password and inherits the security controls already enforced on those third-party accounts.

![Cloud Voice, sign-in screen offering third-party single sign-on options](/images/pbx/sso-pce.png)

- **Microsoft 365**: Integrate Cloud Voice with Microsoft Entra ID (Azure Active Directory) or Active Directory, then enable SSO. Refer to the Microsoft Entra ID and Active Directory integration guides for the setup steps.
- **Google Workspace**: Integrate Cloud Voice with Google Workspace, then enable SSO. Refer to the Google Workspace integration guide for the setup steps.
- **Red Hat**: Integrate Cloud Voice with Red Hat SSO, then enable SSO. Refer to the Red Hat SSO integration guide for the setup steps.

## Require two-factor authentication

Two-factor authentication (2FA) adds a second checkpoint to every login. Besides the account password (the first factor), the user must supply a one-time code delivered to a designated device (the second factor).

![Cloud Voice, login prompt requesting a two-factor authentication code](/images/pbx/security-2fa.png)

To force every extension user through 2FA:

1. Go to **Security > Security Settings > Security Options**.
2. In the **Two-Factor Authentication** section, select **Make Two-Factor Authentication Mandatory for All Extensions**.

   ![Security options with the mandatory two-factor authentication checkbox selected](/images/pbx/2fa-mandatory.png)

3. Click **Save**, then **Apply**.

:::note
When 2FA is optional, each user decides whether to enable or skip it from the Cloud Voice App on desktop or web. Making it mandatory removes that choice and applies 2FA account-wide.
:::

## Offer passwordless login with a QR code or link

Login QR codes and links are a safer alternative to typing a password into the Cloud Voice App: each credential is encrypted and can be used only once. There are two ways to hand them out.

:::caution
Until it is used, a login QR code or link is as powerful as the password it replaces: anyone who receives it can sign in as that user. Send it over a channel you trust, and do not forward it or post it where others can see it.
:::

### Send a code or link to one user

1. Go to **Extension and Trunk > Extension** and edit the extension you want.
2. On the **Cloud Voice App** tab, click **Login QR Code** or **Login Link** to copy the credential, then send it to the user.

   
   ![Cloud Voice, extension settings showing the login QR code and link buttons](/images/pbx/linkus-qr-code-link.png)

### Send codes or links to several users at once

1. Go to **Extension and Trunk > Extension**.
2. Select the extensions you want, then click **Welcome Email**.

   
   ![Cloud Voice, extension list with multiple extensions selected and the welcome email action](/images/pbx/welcome-email.png)

:::note
The welcome email delivers each selected user's login QR code and link (along with sign-in instructions) to the email address on that extension. Confirm the extensions have an email address on file first, or the message has nowhere to go.
:::

## Enforce strong passwords for manual login

Weak passwords are an easy target for attackers. Close that gap by setting system-wide password requirements and giving each extension a strong password.

### Set password policies

1. Go to **Security > Security Settings > Security Options**.
2. In the **Extension Password Rules** section, set the minimum password length and the number of previous passwords that cannot be reused.

   ![Extension password rules defining minimum length and password reuse limits](/images/pbx/user-psw-restriction.png)

3. Click **Save**, then **Apply**.

### Give an extension a strong password

1. Go to **Extension and Trunk > Extension** and edit the extension you want.
2. In the **User Information** section, enter a strong user password.

   ![User information form with a strong password entered for the extension](/images/pbx/user-password.png)

3. Click **Save**, then **Apply**.

:::tip
A strong password:

- Mixes uppercase letters, lowercase letters, and numbers.
- Avoids repeated or sequential numbers.
- Does not reuse the extension number or extension name.
:::

## Control access with user roles

Role-based access control grants or restricts administrative permissions according to a person's job. Each user gets exactly the privileges their work requires, which limits the chance of an unauthorized user reaching sensitive data or performing actions they should not.

Cloud Voice includes these built-in roles: **Super Administrator**, **Administrator**, **Supervisor**, **Operator**, **Employee**, **Human Resource**, **Accounting**, and **Hotel Manager**. Assign a built-in role as is, or build a custom role with precisely the permissions you want.

### Create a custom role

1. Go to **Extension and Trunk > Role**.
2. Click **Add** to define a role from scratch, or **Copy Role** to start from an existing role and adjust it.

   ![Role management page with options to add a new role or copy an existing one](/images/pbx/user-role.png)

### Assign a role to a user

1. Go to **Extension and Trunk > Extension** and edit the extension you want.
2. In the **User Information** section, pick a role from the **User Role** drop-down list.

   ![Extension user information with a role chosen from the user role drop-down](/images/pbx/assign-role-to-users.png)

3. Click **Save**, then **Apply**.
