If you have enabled SSO for users, then you can disable authentication to the Zscaler Deception Admin Portal via local credentials (user passwords stored in Zscaler Deception).

Make sure that you have configured at least one SSO feature and tested it before disabling password-based authentication.

To disable password-based authentication:

1. Go to Settings > Users & Roles > Settings.
2. Select Disable password login.

See image.

3. Click Save.

After you disable the password-based authentication, you cannot log in to the portal using your local username and password.

By default, the password expiration period is 90 days. You can modify the password expiration period for all users.

To modify the password expiration period:

1. Go to Settings > Users & Roles > Settings.
2. In Password expiration (Days), enter the password expiration period in days.

See image.

3. Click Save.

After you configure the password expiration period, it is applied to all users from the day their account was created. Users older than the password expiration period are prompted to reset their passwords.

When signing into the Deception Admin Portal for the first time, each user must configure 2FA using an authenticator app. Each OTP is valid for a time window of 30 seconds.

To accommodate possible clock skew between the Deception Admin Portal and the authenticator app, OTPs submitted from the previous and next two windows are accepted, by default. If you encounter OTP errors due to clock skew, you can increase the number of windows.

To modify the OTP duration:

1. Go to Settings > Users & Roles > Settings.
2. Under One-Time Password window, enter a number.

See image.

3. Click Save.

Zscaler recommends not modifying the default OTP duration. However, you can increase the window number by 1 until the clock skew problem is resolved.