Strengthening account security in your organization

(By Blake Stearman, ArcGIS Online development team)
As an administrator you want to keep your data workflows secure, but also allow members of your organization the freedom to accomplish tasks efficiently. ArcGIS Online continues to deliver improved capabilities for administering your organization, and now provides more control over your security policies as well as tools needed to implement those policies successfully. Here’s an overview of new capabilities for password policies and multifactor authentication, and how they can be used to strengthen account security in your organization.

Password Policy

A recent ArcGIS Online release exposed a new password policy control. Administrators may now alter the required password strength used to login to the organization.

Each organization has the default ArcGIS Online password policy requirements as its base level password security. But now administrators may alter that policy to require that passwords contain letters, upper and/or lowercase letters, numbers, special characters, as well as control the minimum number of characters used in the password.

In the Password Policy section found in the Security tab, click Update Password Policy to make the desired changes

Using Password Policy, you can specify password length, case sensitivity, and inclusion of numbers and special characters. You can also specify a rotation interval for your organization’s passwords, as well as enforce unique passwords over a configurable length of password history.

Once changes are saved, new passwords that are configured for users within the organization will follow the updated policy rules. Organization administrators can also reset passwords for members so that at their next log in they will be forced to specify a new password following the current password policy of the organization.

Multifactor Authentication

ArcGIS Online has implemented multifactor authentication as an additional configurable security option available to organizations. Administrators may specify that users enter a secondary security code from a mobile device in addition to their password, to further protect the security of their accounts. Settings for multifactor authentication can be found in the Security tab of your organization settings.

When configuring this option, a minimum of two administrators must be specified. Each will receive emails regarding any authentication issues with the organization. Having multiple administrators sharing this responsibility ensures that authentication issues within the organization can be dealt with in a timely manner, and that there is a backup in case one administrator is locked out (for example, if the device used for secondary authentication is lost).

When multifactor authentication is enabled, administrators can view and sort by members currently configured to use it.  Administrators can also reset the multifactor authentication configuration in case of a lost or forgotten mobile device.

Organization members with ArcGIS accounts can configure or remove multifactor authentication on their account from their profile page. For member accounts managed by an enterprise identity provider it is assumed the enterprise identity provider would provide its own multifactor authentication solution, if one is desired.

For more information see the following:

About the author

Corporate technology evangelist and advocate at Esri, focusing on ways to broaden access to geographic information and helping customers succeed with the ArcGIS system. On a good day I'm making a map, on a great day I'm on one. Email or connect on LinkedIn (

Inline Feedbacks
View all comments

Next Article

Join Hacktoberfest 2023: Celebrate Open Source with Us!

Read this article