Security Policy

Overview

The Security Policy section lets a tenant administrator set the password rules and sign-in protections that apply to every extension user in the tenant. The two controls available are a password policy (length and complexity) and two-factor authentication (2FA) delivered by email.

Both settings are tenant-wide — once you save them, they apply to every existing and future extension user under the tenant. The defaults are reasonable for most organizations; you only need to revisit this page if your security or compliance posture requires stronger rules.

Password Policy

Where to find it

Sign in to the VeloPBX Web Portal at https://pbx.fortis-tele.com:8887.
From the left menu, open Company.
Select the Password Policy tab.

Password Policy tab in the VeloPBX admin Web Portal — Fig. 1 — The Password Policy tab under **Company** in the Web Portal. All settings shown here apply tenant-wide.

Configurable rules

Setting	Description	Default
Minimum length	Minimum number of characters in a password (6–32)	6
Maximum length	Maximum number of characters in a password (6–32)	32
Require letters	Password must contain at least one Latin letter	On
Require numbers	Password must contain at least one digit (0–9)	On
Require uppercase or special character	Password must contain at least one uppercase letter or special character (`~ ! @ # $ % ^ & * ( ) _ + =`)	On
Disallow sequential characters	Reject passwords containing sequential runs (e.g. `abcd`, `1234`)	On
Disallow repeating characters	Reject passwords containing repeating runs (e.g. `aaaa`, `1111`)	On
Disallow account information	Reject passwords that resemble the username, email, or extension number	On

Note: These rules are evaluated at password creation and password change. They do not retroactively invalidate existing passwords — if you tighten the policy, current users keep their existing passwords until they next change them.

PIN policy

A separate PIN length range governs short numeric PINs used for voicemail and conference rooms (4–10 digits, default 4–6). PIN rules are independent of the main password rules and are evaluated only when a PIN is set or changed.

Two-Factor Authentication (2FA)

VeloPBX supports email-based 2FA for extension users. When enabled, every sign-in to the Web Portal requires:

The user’s username and password.
A one-time verification code sent to the user’s registered email address.

This second factor protects accounts whose passwords have been leaked or guessed.

Enabling 2FA

Open Company → Password Policy.
Toggle Enable two-step verification on.
Click OK to save.

After saving, the Web Portal displays a warning banner reminding you to verify mail-server delivery (see below).

2FA enable confirmation prompt with mail-server warning — Fig. 2 — Confirmation prompt shown after enabling two-step verification. The banner reminds the admin to confirm that the mail server is delivering test messages before saving the change tenant-wide.

Mail server prerequisite

Because the verification code is delivered by email, the tenant’s mail server must be correctly configured before you turn on 2FA. If outbound email is broken, every user will be locked out at the second step and unable to sign in.

To verify mail delivery, send yourself a test message from Settings → Mail Server → Send Test Email before enabling 2FA. If the test message does not arrive, fix the mail server first.

Important: Do not enable 2FA in production until you have confirmed that test emails are being delivered. If you suspect users are locked out because of a mail-server failure, contact [email protected] — the support team can disable 2FA for the tenant from the platform side while you repair the mail path.

What users see

When 2FA is on, the user signs in normally with username and password, then sees a code-entry screen:

The verification code is six digits.
It is valid for a short window (a few minutes) and one-time use.
A new code is generated for every sign-in attempt.

If the user does not receive the code within a minute, they can request a new one from the same screen.

Per-extension 2FA email

The email address that receives the verification code is the one set on the extension (Call Manager → Users → [extension] → User → Email). Make sure every extension has a working email address before turning on 2FA tenant-wide. Extensions without a valid email cannot complete sign-in.

Recommendations

Length over complexity. A 12-character minimum with mixed character classes is harder to brute-force than an 8-character password with stricter rules.
Turn 2FA on for admin accounts at minimum. If you cannot enable 2FA for everyone (for example, if your shared lobby phone has no email), keep it on for any extension with the Admin role.
Re-test mail delivery after any mail-server change. A working mail server today does not guarantee a working mail server tomorrow if SPF/DKIM records or relay credentials are rotated.

Next Step

Once your security baseline is set, return to extension management to apply role and 2FA settings per user:

→ Users & Extensions

Last updated: 2026-05-01