How to Configure Security Settings and System Access Controls

The Security Settings section houses all portal security configuration options. We recommend reviewing these settings carefully, as they directly impact access to your system and help keep your instance locked down to your preferred security level.

Security settings are divided into up to 6 portal-specific sections:

• All Portal Settings
• Admin Portal
• Affiliate Portal
• Buyer Portal
• Advertiser Portal
• Custom Queue Portal

Max Failed Login Attempts — The number of consecutive failed login attempts a user is allowed before being locked out and required to reset their password. This setting applies across all portals including Admin, Affiliate, Advertiser, and Buyer.

The Admin Portal has one setting that is exclusive to it and does not appear in other portal sections:

Enable Multi-Factor Authentication (MFA) — When enabled, employees must provide a time-based one-time code from their mobile authenticator app in addition to their username and password in order to log in to the Admin Portal. MFA applies to employees only — Affiliates, Advertisers, and Buyers are not affected by this setting.

The following settings are available for each portal independently. Each portal section allows you to configure these values separately so access controls can be tailored per portal.

Portal Session Timeout — The number of idle minutes before a user is automatically logged out and required to re-authenticate. Configure this per portal based on the sensitivity of that portal's data.

Password Strength — Sets the minimum complexity requirement for user passwords on that portal:

• Weak — Minimum 5 characters. Cannot be the user's first or last name, email address, "password", "12345", or "54321".
• Strong — Minimum 9 characters. Must include at least 1 number, 1 lowercase letter, and 1 uppercase letter, in addition to all Weak restrictions.

Password Usage History Restriction — Prevents users from reusing any of their last X passwords. Set the number of previous passwords to restrict against.

Password Expiration Policy — The number of days before a user is forced to update their password. After expiration, users will be prompted to create a new password on next login.

Force Password Reset — Immediately logs all users out of the portal and requires them to create a new password before they can log back in. Use with caution — this affects all active sessions instantly.

The System Access sub-tab houses all features related to accessing CAKE at the system level. This tab is only accessible to users who have Multi-Factor Authentication enabled. To access it, you must authenticate with your username, password, and an MFA code.

IP Whitelisting restricts access to selected portals to specific IP address ranges. When a whitelist is configured for a portal, only traffic originating from a whitelisted IP range will be permitted to log in.

You can configure IP whitelisting for any of the following portals:

• Admin
• Advertiser
• Affiliate
• All Admin APIs
• All Portals
• Buyer
• CallCenter

To add an IP Whitelist entry:

1. Click the Add button.
2. Enter the IP Start address.
3. Enter the IP End address.
4. Select the Portal to restrict.
5. Click Update to save the entry.

API keys are used to authenticate requests to the CAKE API and should be treated like passwords — never share them publicly or store them in plain text. You can access your Admin and Affiliate API keys from the System Access sub-tab.

Admin API keys are aliased by default — the actual key value is hidden in the UI. To view your key:

1. Click the System Access sub-tab.
2. Click the Show link next to your API key.

To update the alias on your API key:

1. Double-click the API Key row to make it editable.
2. Update the Alias field with a memorable name.
3. Click Update to save your changes.

CAKE automatically sends a notification to your account email whenever a login is detected from a new or previously unrecognized device or location. This provides an early warning if your credentials are used from an unexpected source and requires no configuration — it is active whenever MFA is enabled.

You may also be interested in:

• How to Enable Multi-Factor Authentication in CAKE
• Getting Started with CAKE Security Settings

If you have any questions, please reach out to your dedicated CAKE Client Success Manager/Account Manager or contact the CAKE Support Team at support@getCAKE.com.