From cb0994a9294fca034d53424e1cee2f0d6963535c Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Thu, 12 Mar 2020 14:36:25 +0100
Subject: [PATCH] Cleaned up config for Security settings

---
 src/Umbraco.Configuration/ConfigsFactory.cs   | 10 +++--
 .../MemberPasswordConfigurationSettings.cs    | 16 +++++++
 .../Implementations/SecuritySettings.cs       | 14 +++++++
 .../UserPasswordConfigurationSettings.cs      | 15 +++++++
 .../MemberPasswordConfigurationElement.cs     |  2 +-
 .../UmbracoSettings/SecurityElement.cs        | 18 ++++----
 .../UmbracoSettings/UmbracoSettingsSection.cs |  2 -
 .../UserPasswordConfigurationElement.cs       |  2 +-
 .../Configuration/ConfigsExtensions.cs        | 27 ++++--------
 .../MemberPasswordConfiguration.cs            |  6 +--
 .../Configuration/PasswordConfiguration.cs    | 22 +++++-----
 .../IMemberPasswordConfigurationSection.cs    |  6 ---
 ...ecuritySection.cs => ISecuritySettings.cs} |  8 +---
 .../IUmbracoSettingsSection.cs                |  2 -
 .../IUserPasswordConfigurationSection.cs      |  6 ---
 .../UserPasswordConfiguration.cs              |  6 +--
 .../CompositionExtensions/Configuration.cs    |  1 -
 .../Models/ContentEditing/UserInvite.cs       |  2 +-
 .../UmbracoSettings/SecurityElementTests.cs   | 42 +++++++++----------
 .../UmbracoSettings/UmbracoSettingsTests.cs   |  4 ++
 .../TestHelpers/SettingsForTests.cs           | 31 +++++++++-----
 src/Umbraco.Tests/Testing/UmbracoTestBase.cs  |  3 ++
 .../AuthenticationControllerTests.cs          |  2 +-
 .../Web/Controllers/UsersControllerTests.cs   | 12 ++++--
 .../Umbraco/Views/AuthorizeUpgrade.cshtml     |  2 +-
 .../Umbraco/Views/Default.cshtml              |  2 +-
 .../Editors/AuthenticationController.cs       |  8 ++--
 .../Editors/BackOfficeController.cs           | 13 +++---
 src/Umbraco.Web/Editors/BackOfficeModel.cs    |  7 +++-
 .../Editors/BackOfficePreviewModel.cs         |  4 +-
 .../Editors/BackOfficeServerVariables.cs      | 11 +++--
 src/Umbraco.Web/Editors/PreviewController.cs  |  7 +++-
 src/Umbraco.Web/Editors/UsersController.cs    | 15 ++++---
 .../HtmlHelperBackOfficeExtensions.cs         |  4 +-
 .../Install/InstallSteps/NewInstallStep.cs    |  8 ++--
 .../Security/AppBuilderExtensions.cs          | 35 ++++++++--------
 .../Security/AuthenticationExtensions.cs      |  6 +--
 .../BackOfficeCookieAuthenticationProvider.cs |  8 ++--
 .../Security/GetUserSecondsMiddleWare.cs      |  4 +-
 .../UmbracoBackOfficeCookieAuthOptions.cs     |  6 +--
 src/Umbraco.Web/UmbracoDefaultOwinStartup.cs  |  5 ++-
 41 files changed, 228 insertions(+), 176 deletions(-)
 create mode 100644 src/Umbraco.Configuration/Implementations/MemberPasswordConfigurationSettings.cs
 create mode 100644 src/Umbraco.Configuration/Implementations/SecuritySettings.cs
 create mode 100644 src/Umbraco.Configuration/Implementations/UserPasswordConfigurationSettings.cs
 delete mode 100644 src/Umbraco.Core/Configuration/UmbracoSettings/IMemberPasswordConfigurationSection.cs
 rename src/Umbraco.Core/Configuration/UmbracoSettings/{ISecuritySection.cs => ISecuritySettings.cs} (78%)
 delete mode 100644 src/Umbraco.Core/Configuration/UmbracoSettings/IUserPasswordConfigurationSection.cs

diff --git a/src/Umbraco.Configuration/ConfigsFactory.cs b/src/Umbraco.Configuration/ConfigsFactory.cs
index 8930edf36b..d9305e0ee8 100644
--- a/src/Umbraco.Configuration/ConfigsFactory.cs
+++ b/src/Umbraco.Configuration/ConfigsFactory.cs
@@ -24,6 +24,9 @@ namespace Umbraco.Core.Configuration
         public IKeepAliveSettings KeepAliveSettings { get; } = new KeepAliveSettings();
         public IWebRoutingSettings WebRoutingSettings { get; } = new WebRoutingSettings();
         public IRequestHandlerSettings RequestHandlerSettings { get; } = new RequestHandlerSettings();
+        public ISecuritySettings SecuritySettings { get; } = new SecuritySettings();
+        public IUserPasswordConfiguration UserPasswordConfigurationSettings { get; } = new UserPasswordConfigurationSettings();
+        public IMemberPasswordConfiguration MemberPasswordConfigurationSettings { get; } = new MemberPasswordConfigurationSettings();
 
         public IUmbracoSettingsSection UmbracoSettings { get; }
 
@@ -36,10 +39,6 @@ namespace Umbraco.Core.Configuration
             configs.Add<IUmbracoSettingsSection>("umbracoConfiguration/settings");
             configs.Add<IHealthChecks>("umbracoConfiguration/HealthChecks");
 
-            // Password configuration is held within IUmbracoSettingsSection from umbracoConfiguration/settings but we'll add explicitly
-            // so it can be independently retrieved in classes that need it.
-            configs.AddPasswordConfigurations();
-
             configs.Add(() => CoreDebug);
             configs.Add(() => MachineKeyConfig);
             configs.Add<IConnectionStrings>(() => new ConnectionStrings(ioHelper));
@@ -58,6 +57,9 @@ namespace Umbraco.Core.Configuration
             configs.Add<IKeepAliveSettings>(() => KeepAliveSettings);
             configs.Add<IWebRoutingSettings>(() => WebRoutingSettings);
             configs.Add<IRequestHandlerSettings>(() => RequestHandlerSettings);
+            configs.Add<ISecuritySettings>(() => SecuritySettings);
+            configs.Add<IUserPasswordConfiguration>(() => UserPasswordConfigurationSettings);
+            configs.Add<IMemberPasswordConfiguration>(() => MemberPasswordConfigurationSettings);
 
             configs.AddCoreConfigs(ioHelper);
             return configs;
diff --git a/src/Umbraco.Configuration/Implementations/MemberPasswordConfigurationSettings.cs b/src/Umbraco.Configuration/Implementations/MemberPasswordConfigurationSettings.cs
new file mode 100644
index 0000000000..e42b02de73
--- /dev/null
+++ b/src/Umbraco.Configuration/Implementations/MemberPasswordConfigurationSettings.cs
@@ -0,0 +1,16 @@
+using Umbraco.Core.Configuration;
+
+namespace Umbraco.Configuration.Implementations
+{
+    internal class MemberPasswordConfigurationSettings : ConfigurationManagerConfigBase, IMemberPasswordConfiguration
+    {
+        public int RequiredLength => UmbracoSettingsSection.Security.UserPasswordConfiguration.RequiredLength;
+        public bool RequireNonLetterOrDigit => UmbracoSettingsSection.Security.UserPasswordConfiguration.RequireNonLetterOrDigit;
+        public bool RequireDigit => UmbracoSettingsSection.Security.UserPasswordConfiguration.RequireDigit;
+        public bool RequireLowercase=> UmbracoSettingsSection.Security.UserPasswordConfiguration.RequireLowercase;
+        public bool RequireUppercase=> UmbracoSettingsSection.Security.UserPasswordConfiguration.RequireUppercase;
+        public bool UseLegacyEncoding=> UmbracoSettingsSection.Security.UserPasswordConfiguration.UseLegacyEncoding;
+        public string HashAlgorithmType=> UmbracoSettingsSection.Security.UserPasswordConfiguration.HashAlgorithmType;
+        public int MaxFailedAccessAttemptsBeforeLockout => UmbracoSettingsSection.Security.UserPasswordConfiguration.MaxFailedAccessAttemptsBeforeLockout;
+    }
+}
diff --git a/src/Umbraco.Configuration/Implementations/SecuritySettings.cs b/src/Umbraco.Configuration/Implementations/SecuritySettings.cs
new file mode 100644
index 0000000000..b7e39b0608
--- /dev/null
+++ b/src/Umbraco.Configuration/Implementations/SecuritySettings.cs
@@ -0,0 +1,14 @@
+using Umbraco.Core.Configuration.UmbracoSettings;
+
+namespace Umbraco.Configuration.Implementations
+{
+    internal class SecuritySettings : ConfigurationManagerConfigBase, ISecuritySettings
+    {
+        public bool KeepUserLoggedIn => UmbracoSettingsSection.Security.KeepUserLoggedIn;
+        public bool HideDisabledUsersInBackoffice => UmbracoSettingsSection.Security.HideDisabledUsersInBackoffice;
+        public bool AllowPasswordReset => UmbracoSettingsSection.Security.AllowPasswordReset;
+        public string AuthCookieName => UmbracoSettingsSection.Security.AuthCookieName;
+        public string AuthCookieDomain => UmbracoSettingsSection.Security.AuthCookieDomain;
+        public bool UsernameIsEmail => UmbracoSettingsSection.Security.UsernameIsEmail;
+    }
+}
diff --git a/src/Umbraco.Configuration/Implementations/UserPasswordConfigurationSettings.cs b/src/Umbraco.Configuration/Implementations/UserPasswordConfigurationSettings.cs
new file mode 100644
index 0000000000..51dd645c42
--- /dev/null
+++ b/src/Umbraco.Configuration/Implementations/UserPasswordConfigurationSettings.cs
@@ -0,0 +1,15 @@
+using Umbraco.Core.Configuration;
+namespace Umbraco.Configuration.Implementations
+{
+    internal class UserPasswordConfigurationSettings : ConfigurationManagerConfigBase, IUserPasswordConfiguration
+    {
+        public int RequiredLength => UmbracoSettingsSection.Security.UserPasswordConfiguration.RequiredLength;
+        public bool RequireNonLetterOrDigit => UmbracoSettingsSection.Security.UserPasswordConfiguration.RequireNonLetterOrDigit;
+        public bool RequireDigit => UmbracoSettingsSection.Security.UserPasswordConfiguration.RequireDigit;
+        public bool RequireLowercase=> UmbracoSettingsSection.Security.UserPasswordConfiguration.RequireLowercase;
+        public bool RequireUppercase=> UmbracoSettingsSection.Security.UserPasswordConfiguration.RequireUppercase;
+        public bool UseLegacyEncoding=> UmbracoSettingsSection.Security.UserPasswordConfiguration.UseLegacyEncoding;
+        public string HashAlgorithmType=> UmbracoSettingsSection.Security.UserPasswordConfiguration.HashAlgorithmType;
+        public int MaxFailedAccessAttemptsBeforeLockout => UmbracoSettingsSection.Security.UserPasswordConfiguration.MaxFailedAccessAttemptsBeforeLockout;
+    }
+}
diff --git a/src/Umbraco.Configuration/UmbracoSettings/MemberPasswordConfigurationElement.cs b/src/Umbraco.Configuration/UmbracoSettings/MemberPasswordConfigurationElement.cs
index 93c7c20159..92cd112630 100644
--- a/src/Umbraco.Configuration/UmbracoSettings/MemberPasswordConfigurationElement.cs
+++ b/src/Umbraco.Configuration/UmbracoSettings/MemberPasswordConfigurationElement.cs
@@ -1,6 +1,6 @@
 namespace Umbraco.Core.Configuration.UmbracoSettings
 {
-    internal class MemberPasswordConfigurationElement : PasswordConfigurationElement, IMemberPasswordConfigurationSection
+    internal class MemberPasswordConfigurationElement : PasswordConfigurationElement, IMemberPasswordConfiguration
     {
     }
 }
diff --git a/src/Umbraco.Configuration/UmbracoSettings/SecurityElement.cs b/src/Umbraco.Configuration/UmbracoSettings/SecurityElement.cs
index 82012cfd0f..aec6809298 100644
--- a/src/Umbraco.Configuration/UmbracoSettings/SecurityElement.cs
+++ b/src/Umbraco.Configuration/UmbracoSettings/SecurityElement.cs
@@ -2,7 +2,7 @@
 
 namespace Umbraco.Core.Configuration.UmbracoSettings
 {
-    internal class SecurityElement : UmbracoConfigurationElement, ISecuritySection
+    internal class SecurityElement : UmbracoConfigurationElement, ISecuritySettings
     {
         [ConfigurationProperty("keepUserLoggedIn")]
         internal InnerTextConfigurationElement<bool> KeepUserLoggedIn => GetOptionalTextElement("keepUserLoggedIn", true);
@@ -38,14 +38,14 @@ namespace Umbraco.Core.Configuration.UmbracoSettings
         [ConfigurationProperty("memberPasswordConfiguration")]
         public MemberPasswordConfigurationElement MemberPasswordConfiguration => (MemberPasswordConfigurationElement)this["memberPasswordConfiguration"];
 
-        bool ISecuritySection.KeepUserLoggedIn => KeepUserLoggedIn;
+        bool ISecuritySettings.KeepUserLoggedIn => KeepUserLoggedIn;
 
-        bool ISecuritySection.HideDisabledUsersInBackoffice => HideDisabledUsersInBackoffice;
+        bool ISecuritySettings.HideDisabledUsersInBackoffice => HideDisabledUsersInBackoffice;
 
         /// <summary>
         /// Used to enable/disable the forgot password functionality on the back office login screen
         /// </summary>
-        bool ISecuritySection.AllowPasswordReset => AllowPasswordReset;
+        bool ISecuritySettings.AllowPasswordReset => AllowPasswordReset;
 
         /// <summary>
         /// A boolean indicating that by default the email address will be the username
@@ -54,14 +54,10 @@ namespace Umbraco.Core.Configuration.UmbracoSettings
         /// Even if this is true and the username is different from the email in the database, the username field will still be shown.
         /// When this is false, the username and email fields will be shown in the user section.
         /// </remarks>
-        bool ISecuritySection.UsernameIsEmail => UsernameIsEmail;
+        bool ISecuritySettings.UsernameIsEmail => UsernameIsEmail;
 
-        string ISecuritySection.AuthCookieName => AuthCookieName;
+        string ISecuritySettings.AuthCookieName => AuthCookieName;
 
-        string ISecuritySection.AuthCookieDomain => AuthCookieDomain;
-
-        IUserPasswordConfigurationSection ISecuritySection.UserPasswordConfiguration => UserPasswordConfiguration;
-
-        IMemberPasswordConfigurationSection ISecuritySection.MemberPasswordConfiguration => MemberPasswordConfiguration;
+        string ISecuritySettings.AuthCookieDomain => AuthCookieDomain;
     }
 }
diff --git a/src/Umbraco.Configuration/UmbracoSettings/UmbracoSettingsSection.cs b/src/Umbraco.Configuration/UmbracoSettings/UmbracoSettingsSection.cs
index 2b980d133c..4860d3138e 100644
--- a/src/Umbraco.Configuration/UmbracoSettings/UmbracoSettingsSection.cs
+++ b/src/Umbraco.Configuration/UmbracoSettings/UmbracoSettingsSection.cs
@@ -26,7 +26,5 @@ namespace Umbraco.Core.Configuration.UmbracoSettings
         internal KeepAliveElement KeepAlive => (KeepAliveElement)this["keepAlive"];
 
         IContentSection IUmbracoSettingsSection.Content => Content;
-
-        ISecuritySection IUmbracoSettingsSection.Security => Security;
     }
 }
diff --git a/src/Umbraco.Configuration/UmbracoSettings/UserPasswordConfigurationElement.cs b/src/Umbraco.Configuration/UmbracoSettings/UserPasswordConfigurationElement.cs
index 8128f3d8e7..a1d2aa8842 100644
--- a/src/Umbraco.Configuration/UmbracoSettings/UserPasswordConfigurationElement.cs
+++ b/src/Umbraco.Configuration/UmbracoSettings/UserPasswordConfigurationElement.cs
@@ -1,6 +1,6 @@
 namespace Umbraco.Core.Configuration.UmbracoSettings
 {
-    internal class UserPasswordConfigurationElement : PasswordConfigurationElement, IUserPasswordConfigurationSection
+    internal class UserPasswordConfigurationElement : PasswordConfigurationElement, IUserPasswordConfiguration
     {
     }
 }
diff --git a/src/Umbraco.Core/Configuration/ConfigsExtensions.cs b/src/Umbraco.Core/Configuration/ConfigsExtensions.cs
index b800b42454..6d4c8e1b91 100644
--- a/src/Umbraco.Core/Configuration/ConfigsExtensions.cs
+++ b/src/Umbraco.Core/Configuration/ConfigsExtensions.cs
@@ -28,6 +28,15 @@ namespace Umbraco.Core
         public static IUmbracoSettingsSection Settings(this Configs configs)
             => configs.GetConfig<IUmbracoSettingsSection>();
 
+        public static ISecuritySettings Security(this Configs configs)
+            => configs.GetConfig<ISecuritySettings>();
+
+
+        public static IUserPasswordConfiguration UserPasswordConfiguration(this Configs configs)
+            => configs.GetConfig<IUserPasswordConfiguration>();
+        public static IMemberPasswordConfiguration MemberPasswordConfiguration(this Configs configs)
+            => configs.GetConfig<IMemberPasswordConfiguration>();
+
         public static IRequestHandlerSettings RequestHandler(this Configs configs)
             => configs.GetConfig<IRequestHandlerSettings>();
 
@@ -43,24 +52,6 @@ namespace Umbraco.Core
         public static ICoreDebug CoreDebug(this Configs configs)
             => configs.GetConfig<ICoreDebug>();
 
-        public static IUserPasswordConfiguration UserPasswordConfiguration(this Configs configs)
-            => configs.GetConfig<IUserPasswordConfiguration>();
-
-        public static IMemberPasswordConfiguration MemberPasswordConfiguration(this Configs configs)
-            => configs.GetConfig<IMemberPasswordConfiguration>();
-
-        public static void AddPasswordConfigurations(this Configs configs)
-        {
-            configs.Add<IUserPasswordConfiguration>(() =>
-            {
-                return new UserPasswordConfiguration(configs.Settings().Security.UserPasswordConfiguration);
-            });
-            configs.Add<IMemberPasswordConfiguration>(() =>
-            {
-                return new MemberPasswordConfiguration(configs.Settings().Security.MemberPasswordConfiguration);
-            });
-        }
-
         public static void AddCoreConfigs(this Configs configs, IIOHelper ioHelper)
         {
             var configDir = new DirectoryInfo(ioHelper.MapPath(Constants.SystemDirectories.Config));
diff --git a/src/Umbraco.Core/Configuration/MemberPasswordConfiguration.cs b/src/Umbraco.Core/Configuration/MemberPasswordConfiguration.cs
index 58c907c31f..8e7cd97f35 100644
--- a/src/Umbraco.Core/Configuration/MemberPasswordConfiguration.cs
+++ b/src/Umbraco.Core/Configuration/MemberPasswordConfiguration.cs
@@ -7,9 +7,9 @@ namespace Umbraco.Core.Configuration
     /// </summary>
     public class MemberPasswordConfiguration : PasswordConfiguration, IMemberPasswordConfiguration
     {
-        public MemberPasswordConfiguration(IMemberPasswordConfigurationSection configSection)
-            : base(configSection)
-        {                
+        public MemberPasswordConfiguration(IMemberPasswordConfiguration configSettings)
+            : base(configSettings)
+        {
         }
     }
 }
diff --git a/src/Umbraco.Core/Configuration/PasswordConfiguration.cs b/src/Umbraco.Core/Configuration/PasswordConfiguration.cs
index 9edf1a462e..6827695b35 100644
--- a/src/Umbraco.Core/Configuration/PasswordConfiguration.cs
+++ b/src/Umbraco.Core/Configuration/PasswordConfiguration.cs
@@ -5,21 +5,21 @@ namespace Umbraco.Core.Configuration
 {
     public abstract class PasswordConfiguration : IPasswordConfiguration
     {
-        protected PasswordConfiguration(IPasswordConfigurationSection configSection)
+        protected PasswordConfiguration(IPasswordConfiguration configSettings)
         {
-            if (configSection == null)
+            if (configSettings == null)
             {
-                throw new ArgumentNullException(nameof(configSection));
+                throw new ArgumentNullException(nameof(configSettings));
             }
 
-            RequiredLength = configSection.RequiredLength;
-            RequireNonLetterOrDigit = configSection.RequireNonLetterOrDigit;
-            RequireDigit = configSection.RequireDigit;
-            RequireLowercase = configSection.RequireLowercase;
-            RequireUppercase = configSection.RequireUppercase;
-            UseLegacyEncoding = configSection.UseLegacyEncoding;
-            HashAlgorithmType = configSection.HashAlgorithmType;
-            MaxFailedAccessAttemptsBeforeLockout = configSection.MaxFailedAccessAttemptsBeforeLockout;
+            RequiredLength = configSettings.RequiredLength;
+            RequireNonLetterOrDigit = configSettings.RequireNonLetterOrDigit;
+            RequireDigit = configSettings.RequireDigit;
+            RequireLowercase = configSettings.RequireLowercase;
+            RequireUppercase = configSettings.RequireUppercase;
+            UseLegacyEncoding = configSettings.UseLegacyEncoding;
+            HashAlgorithmType = configSettings.HashAlgorithmType;
+            MaxFailedAccessAttemptsBeforeLockout = configSettings.MaxFailedAccessAttemptsBeforeLockout;
         }
 
         public int RequiredLength { get; }
diff --git a/src/Umbraco.Core/Configuration/UmbracoSettings/IMemberPasswordConfigurationSection.cs b/src/Umbraco.Core/Configuration/UmbracoSettings/IMemberPasswordConfigurationSection.cs
deleted file mode 100644
index cbbb933857..0000000000
--- a/src/Umbraco.Core/Configuration/UmbracoSettings/IMemberPasswordConfigurationSection.cs
+++ /dev/null
@@ -1,6 +0,0 @@
-namespace Umbraco.Core.Configuration.UmbracoSettings
-{
-    public interface IMemberPasswordConfigurationSection : IPasswordConfigurationSection
-    {
-    }
-}
diff --git a/src/Umbraco.Core/Configuration/UmbracoSettings/ISecuritySection.cs b/src/Umbraco.Core/Configuration/UmbracoSettings/ISecuritySettings.cs
similarity index 78%
rename from src/Umbraco.Core/Configuration/UmbracoSettings/ISecuritySection.cs
rename to src/Umbraco.Core/Configuration/UmbracoSettings/ISecuritySettings.cs
index a6ed188713..6ab520fefd 100644
--- a/src/Umbraco.Core/Configuration/UmbracoSettings/ISecuritySection.cs
+++ b/src/Umbraco.Core/Configuration/UmbracoSettings/ISecuritySettings.cs
@@ -1,9 +1,9 @@
 namespace Umbraco.Core.Configuration.UmbracoSettings
 {
-    public interface ISecuritySection : IUmbracoConfigurationSection
+    public interface ISecuritySettings : IUmbracoConfigurationSection
     {
         bool KeepUserLoggedIn { get; }
-        
+
         bool HideDisabledUsersInBackoffice { get; }
 
         /// <summary>
@@ -23,9 +23,5 @@
         /// When this is false, the username and email fields will be shown in the user section.
         /// </remarks>
         bool UsernameIsEmail { get; }
-
-        IUserPasswordConfigurationSection UserPasswordConfiguration { get; }
-
-        IMemberPasswordConfigurationSection MemberPasswordConfiguration { get; }
     }
 }
diff --git a/src/Umbraco.Core/Configuration/UmbracoSettings/IUmbracoSettingsSection.cs b/src/Umbraco.Core/Configuration/UmbracoSettings/IUmbracoSettingsSection.cs
index 69715f8e46..3db70e6d42 100644
--- a/src/Umbraco.Core/Configuration/UmbracoSettings/IUmbracoSettingsSection.cs
+++ b/src/Umbraco.Core/Configuration/UmbracoSettings/IUmbracoSettingsSection.cs
@@ -5,7 +5,5 @@ namespace Umbraco.Core.Configuration.UmbracoSettings
     public interface IUmbracoSettingsSection : IUmbracoConfigurationSection
     {
         IContentSection Content { get; }
-
-        ISecuritySection Security { get; }
     }
 }
diff --git a/src/Umbraco.Core/Configuration/UmbracoSettings/IUserPasswordConfigurationSection.cs b/src/Umbraco.Core/Configuration/UmbracoSettings/IUserPasswordConfigurationSection.cs
deleted file mode 100644
index d80dd2b7e5..0000000000
--- a/src/Umbraco.Core/Configuration/UmbracoSettings/IUserPasswordConfigurationSection.cs
+++ /dev/null
@@ -1,6 +0,0 @@
-namespace Umbraco.Core.Configuration.UmbracoSettings
-{
-    public interface IUserPasswordConfigurationSection : IPasswordConfigurationSection
-    {
-    }
-}
diff --git a/src/Umbraco.Core/Configuration/UserPasswordConfiguration.cs b/src/Umbraco.Core/Configuration/UserPasswordConfiguration.cs
index 4cfee5280b..07e6603cee 100644
--- a/src/Umbraco.Core/Configuration/UserPasswordConfiguration.cs
+++ b/src/Umbraco.Core/Configuration/UserPasswordConfiguration.cs
@@ -7,9 +7,9 @@ namespace Umbraco.Core.Configuration
     /// </summary>
     public class UserPasswordConfiguration : PasswordConfiguration, IUserPasswordConfiguration
     {
-        public UserPasswordConfiguration(IUserPasswordConfigurationSection configSection)
-            : base(configSection)
-        {                
+        public UserPasswordConfiguration(IUserPasswordConfiguration configSettings)
+            : base(configSettings)
+        {
         }
     }
 }
diff --git a/src/Umbraco.Infrastructure/Composing/CompositionExtensions/Configuration.cs b/src/Umbraco.Infrastructure/Composing/CompositionExtensions/Configuration.cs
index 48e43156ae..e1bc079432 100644
--- a/src/Umbraco.Infrastructure/Composing/CompositionExtensions/Configuration.cs
+++ b/src/Umbraco.Infrastructure/Composing/CompositionExtensions/Configuration.cs
@@ -15,7 +15,6 @@ namespace Umbraco.Core.Composing.CompositionExtensions
             // register others
 
             composition.RegisterUnique(factory => factory.GetInstance<IUmbracoSettingsSection>().Content);
-            composition.RegisterUnique(factory => factory.GetInstance<IUmbracoSettingsSection>().Security);
 
             return composition;
         }
diff --git a/src/Umbraco.Infrastructure/Models/ContentEditing/UserInvite.cs b/src/Umbraco.Infrastructure/Models/ContentEditing/UserInvite.cs
index f1c6cf6c04..06e4d0748c 100644
--- a/src/Umbraco.Infrastructure/Models/ContentEditing/UserInvite.cs
+++ b/src/Umbraco.Infrastructure/Models/ContentEditing/UserInvite.cs
@@ -33,7 +33,7 @@ namespace Umbraco.Web.Models.ContentEditing
             if (UserGroups.Any() == false)
                 yield return new ValidationResult("A user must be assigned to at least one group", new[] { nameof(UserGroups) });
 
-            if (Current.Configs.Settings().Security.UsernameIsEmail == false && Username.IsNullOrWhiteSpace())
+            if (Current.Configs.Security().UsernameIsEmail == false && Username.IsNullOrWhiteSpace())
                 yield return new ValidationResult("A username cannot be empty", new[] { nameof(Username) });
         }
     }
diff --git a/src/Umbraco.Tests/Configurations/UmbracoSettings/SecurityElementTests.cs b/src/Umbraco.Tests/Configurations/UmbracoSettings/SecurityElementTests.cs
index 9300c88a67..93f37a1e35 100644
--- a/src/Umbraco.Tests/Configurations/UmbracoSettings/SecurityElementTests.cs
+++ b/src/Umbraco.Tests/Configurations/UmbracoSettings/SecurityElementTests.cs
@@ -9,127 +9,127 @@ namespace Umbraco.Tests.Configurations.UmbracoSettings
         [Test]
         public void KeepUserLoggedIn()
         {
-            Assert.IsTrue(SettingsSection.Security.KeepUserLoggedIn == true);
+            Assert.IsTrue(SecuritySettings.KeepUserLoggedIn == true);
         }
 
         [Test]
         public void HideDisabledUsersInBackoffice()
         {
-            Assert.IsTrue(SettingsSection.Security.HideDisabledUsersInBackoffice == false);
+            Assert.IsTrue(SecuritySettings.HideDisabledUsersInBackoffice == false);
         }
 
         [Test]
         public void AllowPasswordReset()
         {
-            Assert.IsTrue(SettingsSection.Security.AllowPasswordReset == true);
+            Assert.IsTrue(SecuritySettings.AllowPasswordReset == true);
         }
 
         [Test]
         public void AuthCookieDomain()
         {
-            Assert.IsTrue(SettingsSection.Security.AuthCookieDomain == null);
+            Assert.IsTrue(SecuritySettings.AuthCookieDomain == null);
         }
 
         [Test]
         public void AuthCookieName()
         {
-            Assert.IsTrue(SettingsSection.Security.AuthCookieName == "UMB_UCONTEXT");
+            Assert.IsTrue(SecuritySettings.AuthCookieName == "UMB_UCONTEXT");
         }
 
         [Test]
         public void UserPasswordConfiguration_RequiredLength()
         {
-            Assert.IsTrue(SettingsSection.Security.UserPasswordConfiguration.RequiredLength == 12);
+            Assert.IsTrue(UserPasswordConfiguration.RequiredLength == 12);
         }
 
         [Test]
         public void UserPasswordConfiguration_RequireNonLetterOrDigit()
         {
-            Assert.IsTrue(SettingsSection.Security.UserPasswordConfiguration.RequireNonLetterOrDigit == false);
+            Assert.IsTrue(UserPasswordConfiguration.RequireNonLetterOrDigit == false);
         }
 
         [Test]
         public void UserPasswordConfiguration_RequireDigit()
         {
-            Assert.IsTrue(SettingsSection.Security.UserPasswordConfiguration.RequireDigit == false);
+            Assert.IsTrue(UserPasswordConfiguration.RequireDigit == false);
         }
 
         [Test]
         public void UserPasswordConfiguration_RequireLowercase()
         {
-            Assert.IsTrue(SettingsSection.Security.UserPasswordConfiguration.RequireLowercase == false);
+            Assert.IsTrue(UserPasswordConfiguration.RequireLowercase == false);
         }
 
         [Test]
         public void UserPasswordConfiguration_RequireUppercase()
         {
-            Assert.IsTrue(SettingsSection.Security.UserPasswordConfiguration.RequireUppercase == false);
+            Assert.IsTrue(UserPasswordConfiguration.RequireUppercase == false);
         }
 
         [Test]
         public void UserPasswordConfiguration_UseLegacyEncoding()
         {
-            Assert.IsTrue(SettingsSection.Security.UserPasswordConfiguration.UseLegacyEncoding == false);
+            Assert.IsTrue(UserPasswordConfiguration.UseLegacyEncoding == false);
         }
 
         [Test]
         public void UserPasswordConfiguration_HashAlgorithmType()
         {
-            Assert.IsTrue(SettingsSection.Security.UserPasswordConfiguration.HashAlgorithmType == "HMACSHA256");
+            Assert.IsTrue(UserPasswordConfiguration.HashAlgorithmType == "HMACSHA256");
         }
 
         [Test]
         public void UserPasswordConfiguration_MaxFailedAccessAttemptsBeforeLockout()
         {
-            Assert.IsTrue(SettingsSection.Security.UserPasswordConfiguration.MaxFailedAccessAttemptsBeforeLockout == 5);
+            Assert.IsTrue(UserPasswordConfiguration.MaxFailedAccessAttemptsBeforeLockout == 5);
         }
 
         [Test]
         public void MemberPasswordConfiguration_RequiredLength()
         {
-            Assert.IsTrue(SettingsSection.Security.MemberPasswordConfiguration.RequiredLength == 12);
+            Assert.IsTrue(MemberPasswordConfiguration.RequiredLength == 12);
         }
 
         [Test]
         public void MemberPasswordConfiguration_RequireNonLetterOrDigit()
         {
-            Assert.IsTrue(SettingsSection.Security.MemberPasswordConfiguration.RequireNonLetterOrDigit == false);
+            Assert.IsTrue(MemberPasswordConfiguration.RequireNonLetterOrDigit == false);
         }
 
         [Test]
         public void MemberPasswordConfiguration_RequireDigit()
         {
-            Assert.IsTrue(SettingsSection.Security.MemberPasswordConfiguration.RequireDigit == false);
+            Assert.IsTrue(MemberPasswordConfiguration.RequireDigit == false);
         }
 
         [Test]
         public void MemberPasswordConfiguration_RequireLowercase()
         {
-            Assert.IsTrue(SettingsSection.Security.MemberPasswordConfiguration.RequireLowercase == false);
+            Assert.IsTrue(MemberPasswordConfiguration.RequireLowercase == false);
         }
 
         [Test]
         public void MemberPasswordConfiguration_RequireUppercase()
         {
-            Assert.IsTrue(SettingsSection.Security.MemberPasswordConfiguration.RequireUppercase == false);
+            Assert.IsTrue(MemberPasswordConfiguration.RequireUppercase == false);
         }
 
         [Test]
         public void MemberPasswordConfiguration_UseLegacyEncoding()
         {
-            Assert.IsTrue(SettingsSection.Security.MemberPasswordConfiguration.UseLegacyEncoding == false);
+            Assert.IsTrue(MemberPasswordConfiguration.UseLegacyEncoding == false);
         }
 
         [Test]
         public void MemberPasswordConfiguration_HashAlgorithmType()
         {
-            Assert.IsTrue(SettingsSection.Security.MemberPasswordConfiguration.HashAlgorithmType == "HMACSHA256");
+            Assert.IsTrue(MemberPasswordConfiguration.HashAlgorithmType == "HMACSHA256");
         }
 
         [Test]
         public void MemberPasswordConfiguration_MaxFailedAccessAttemptsBeforeLockout()
         {
-            Assert.IsTrue(SettingsSection.Security.MemberPasswordConfiguration.MaxFailedAccessAttemptsBeforeLockout == 5);
+            Assert.IsTrue(MemberPasswordConfiguration.MaxFailedAccessAttemptsBeforeLockout == 5);
         }
     }
 }
diff --git a/src/Umbraco.Tests/Configurations/UmbracoSettings/UmbracoSettingsTests.cs b/src/Umbraco.Tests/Configurations/UmbracoSettings/UmbracoSettingsTests.cs
index b19e4d522a..364c30eecc 100644
--- a/src/Umbraco.Tests/Configurations/UmbracoSettings/UmbracoSettingsTests.cs
+++ b/src/Umbraco.Tests/Configurations/UmbracoSettings/UmbracoSettingsTests.cs
@@ -2,6 +2,7 @@
 using System.Diagnostics;
 using System.IO;
 using NUnit.Framework;
+using Umbraco.Core.Configuration;
 using Umbraco.Core.Configuration.UmbracoSettings;
 using Umbraco.Tests.TestHelpers;
 
@@ -38,5 +39,8 @@ namespace Umbraco.Tests.Configurations.UmbracoSettings
         protected ILoggingSettings LoggingSettings => Settings.Logging;
         protected IWebRoutingSettings WebRoutingSettings => Settings.WebRouting;
         protected IRequestHandlerSettings RequestHandlerSettings => Settings.RequestHandler;
+        protected ISecuritySettings SecuritySettings => Settings.Security;
+        protected IUserPasswordConfiguration UserPasswordConfiguration => Settings.Security.UserPasswordConfiguration;
+        protected IMemberPasswordConfiguration MemberPasswordConfiguration => Settings.Security.MemberPasswordConfiguration;
     }
 }
diff --git a/src/Umbraco.Tests/TestHelpers/SettingsForTests.cs b/src/Umbraco.Tests/TestHelpers/SettingsForTests.cs
index f3d03e1ea4..e3c9657b34 100644
--- a/src/Umbraco.Tests/TestHelpers/SettingsForTests.cs
+++ b/src/Umbraco.Tests/TestHelpers/SettingsForTests.cs
@@ -45,18 +45,8 @@ namespace Umbraco.Tests.TestHelpers
             var settings = new Mock<IUmbracoSettingsSection>();
 
             var content = new Mock<IContentSection>();
-            var security = new Mock<ISecuritySection>();
-            var requestHandler = new Mock<IRequestHandlerSettings>();
-            var logging = new Mock<ILoggingSettings>();
-            var routing = new Mock<IWebRoutingSettings>();
-
-            var userPasswordConfig = new Mock<IUserPasswordConfigurationSection>();
-            var memberPasswordConfig = new Mock<IMemberPasswordConfigurationSection>();
-            security.Setup(x => x.UserPasswordConfiguration).Returns(userPasswordConfig.Object);
-            security.Setup(x => x.MemberPasswordConfiguration).Returns(memberPasswordConfig.Object);
 
             settings.Setup(x => x.Content).Returns(content.Object);
-            settings.Setup(x => x.Security).Returns(security.Object);
 
             //Now configure some defaults - the defaults in the config section classes do NOT pertain to the mocked data!!
             settings.Setup(x => x.Content.ImageAutoFillProperties).Returns(ContentImagingElement.GetDefaultImageAutoFillProperties());
@@ -185,5 +175,26 @@ namespace Umbraco.Tests.TestHelpers
 
             return mock.Object;
         }
+
+        public static ISecuritySettings GenerateMockSecuritySettings()
+        {
+            var security = new Mock<ISecuritySettings>();
+
+            return security.Object;
+        }
+
+        public static IUserPasswordConfiguration GenerateMockUserPasswordConfiguration()
+        {
+            var mock = new Mock<IUserPasswordConfiguration>();
+
+            return mock.Object;
+        }
+
+        public static IMemberPasswordConfiguration GenerateMockMemberPasswordConfiguration()
+        {
+            var mock = new Mock<IMemberPasswordConfiguration>();
+
+            return mock.Object;
+        }
     }
 }
diff --git a/src/Umbraco.Tests/Testing/UmbracoTestBase.cs b/src/Umbraco.Tests/Testing/UmbracoTestBase.cs
index 6b177c16cc..10449ac785 100644
--- a/src/Umbraco.Tests/Testing/UmbracoTestBase.cs
+++ b/src/Umbraco.Tests/Testing/UmbracoTestBase.cs
@@ -416,6 +416,9 @@ namespace Umbraco.Tests.Testing
             Composition.Configs.Add(SettingsForTests.GetDefaultHostingSettings);
             Composition.Configs.Add(SettingsForTests.GenerateMockRequestHandlerSettings);
             Composition.Configs.Add(SettingsForTests.GenerateMockWebRoutingSettings);
+            Composition.Configs.Add(SettingsForTests.GenerateMockSecuritySettings);
+            Composition.Configs.Add(SettingsForTests.GenerateMockUserPasswordConfiguration);
+            Composition.Configs.Add(SettingsForTests.GenerateMockMemberPasswordConfiguration);
 
             //Composition.Configs.Add<IUserPasswordConfiguration>(() => new DefaultUserPasswordConfig());
         }
diff --git a/src/Umbraco.Tests/Web/Controllers/AuthenticationControllerTests.cs b/src/Umbraco.Tests/Web/Controllers/AuthenticationControllerTests.cs
index 9ecedee056..0e757bbc6d 100644
--- a/src/Umbraco.Tests/Web/Controllers/AuthenticationControllerTests.cs
+++ b/src/Umbraco.Tests/Web/Controllers/AuthenticationControllerTests.cs
@@ -88,7 +88,7 @@ namespace Umbraco.Tests.Web.Controllers
                     Factory.GetInstance<IProfilingLogger>(),
                     Factory.GetInstance<IRuntimeState>(),
                     Factory.GetInstance<UmbracoMapper>(),
-                    Factory.GetInstance<IUmbracoSettingsSection>(),
+                    Factory.GetInstance<ISecuritySettings>(),
                     Factory.GetInstance<IIOHelper>(),
                     Factory.GetInstance<IPublishedUrlProvider>()
                     );
diff --git a/src/Umbraco.Tests/Web/Controllers/UsersControllerTests.cs b/src/Umbraco.Tests/Web/Controllers/UsersControllerTests.cs
index d914ef2c39..e23a4db1dc 100644
--- a/src/Umbraco.Tests/Web/Controllers/UsersControllerTests.cs
+++ b/src/Umbraco.Tests/Web/Controllers/UsersControllerTests.cs
@@ -92,7 +92,8 @@ namespace Umbraco.Tests.Web.Controllers
                     Factory.GetInstance<IUmbracoSettingsSection>(),
                     Factory.GetInstance<IIOHelper>(),
                     Factory.GetInstance<IImageUrlGenerator>(),
-                    Factory.GetInstance<IPublishedUrlProvider>()
+                    Factory.GetInstance<IPublishedUrlProvider>(),
+                    Factory.GetInstance<ISecuritySettings>()
 
                 );
                 return usersController;
@@ -164,7 +165,8 @@ namespace Umbraco.Tests.Web.Controllers
                     Factory.GetInstance<IUmbracoSettingsSection>(),
                     Factory.GetInstance<IIOHelper>(),
                     Factory.GetInstance<IImageUrlGenerator>(),
-                    Factory.GetInstance<IPublishedUrlProvider>()
+                    Factory.GetInstance<IPublishedUrlProvider>(),
+                    Factory.GetInstance<ISecuritySettings>()
                 );
                 return usersController;
             }
@@ -206,7 +208,8 @@ namespace Umbraco.Tests.Web.Controllers
                     Factory.GetInstance<IUmbracoSettingsSection>(),
                     Factory.GetInstance<IIOHelper>(),
                     Factory.GetInstance<IImageUrlGenerator>(),
-                    Factory.GetInstance<IPublishedUrlProvider>()
+                    Factory.GetInstance<IPublishedUrlProvider>(),
+                    Factory.GetInstance<ISecuritySettings>()
                 );
                 return usersController;
             }
@@ -283,7 +286,8 @@ namespace Umbraco.Tests.Web.Controllers
                     Factory.GetInstance<IUmbracoSettingsSection>(),
                     Factory.GetInstance<IIOHelper>(),
                     Factory.GetInstance<IImageUrlGenerator>(),
-                    Factory.GetInstance<IPublishedUrlProvider>()
+                    Factory.GetInstance<IPublishedUrlProvider>(),
+                    Factory.GetInstance<ISecuritySettings>()
                 );
                 return usersController;
             }
diff --git a/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml b/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
index e41185d74b..35654e7a41 100644
--- a/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
+++ b/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
@@ -48,7 +48,7 @@
             redirectUrl = Url.Action("AuthorizeUpgrade", "BackOffice")
         });
     }
-    @Html.BareMinimumServerVariablesScript(Url, externalLoginUrl, Model.Features, Model.GlobalSettings, Model.UmbracoVersion, Model.UmbracoSettingsSection, Model.IOHelper, Model.TreeCollection, Model.HttpContextAccessor, Model.HostingEnvironment, Model.RuntimeSettings)
+    @Html.BareMinimumServerVariablesScript(Url, externalLoginUrl, Model.Features, Model.GlobalSettings, Model.UmbracoVersion, Model.UmbracoSettingsSection, Model.IOHelper, Model.TreeCollection, Model.HttpContextAccessor, Model.HostingEnvironment, Model.RuntimeSettings, Model.SecuritySettings)
 
     <script type="text/javascript">
     document.angularReady = function (app) {
diff --git a/src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml b/src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml
index 59427b43c0..37827f9c5b 100644
--- a/src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml
+++ b/src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml
@@ -110,7 +110,7 @@
         on-login="hideLoginScreen()">
     </umb-login>
 
-    @Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewData.GetUmbracoPath() }), Model.Features, Model.GlobalSettings, Model.UmbracoVersion, Model.UmbracoSettingsSection, Model.IOHelper, Model.TreeCollection, Model.HttpContextAccessor, Model.HostingEnvironment, Model.RuntimeSettings)
+    @Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewData.GetUmbracoPath() }), Model.Features, Model.GlobalSettings, Model.UmbracoVersion, Model.UmbracoSettingsSection, Model.IOHelper, Model.TreeCollection, Model.HttpContextAccessor, Model.HostingEnvironment, Model.RuntimeSettings, Model.SecuritySettings)
 
     <script>
 
diff --git a/src/Umbraco.Web/Editors/AuthenticationController.cs b/src/Umbraco.Web/Editors/AuthenticationController.cs
index 0d206f8d8d..1788484981 100644
--- a/src/Umbraco.Web/Editors/AuthenticationController.cs
+++ b/src/Umbraco.Web/Editors/AuthenticationController.cs
@@ -45,7 +45,7 @@ namespace Umbraco.Web.Editors
         private BackOfficeSignInManager _signInManager;
         private readonly IUserPasswordConfiguration _passwordConfiguration;
         private readonly IRuntimeState _runtimeState;
-        private readonly IUmbracoSettingsSection _umbracoSettingsSection;
+        private readonly ISecuritySettings _securitySettings;
         private readonly IIOHelper _ioHelper;
 
         public AuthenticationController(
@@ -58,14 +58,14 @@ namespace Umbraco.Web.Editors
             IProfilingLogger logger,
             IRuntimeState runtimeState,
             UmbracoMapper umbracoMapper,
-            IUmbracoSettingsSection umbracoSettingsSection,
+            ISecuritySettings securitySettings,
             IIOHelper ioHelper,
             IPublishedUrlProvider publishedUrlProvider)
             : base(globalSettings, umbracoContextAccessor, sqlContext, services, appCaches, logger, runtimeState, umbracoMapper, publishedUrlProvider)
         {
             _passwordConfiguration = passwordConfiguration ?? throw new ArgumentNullException(nameof(passwordConfiguration));
             _runtimeState = runtimeState ?? throw new ArgumentNullException(nameof(runtimeState));
-            _umbracoSettingsSection = umbracoSettingsSection ?? throw new ArgumentNullException(nameof(umbracoSettingsSection));
+            _securitySettings = securitySettings ?? throw new ArgumentNullException(nameof(securitySettings));
             _ioHelper = ioHelper ?? throw new ArgumentNullException(nameof(ioHelper));
         }
 
@@ -310,7 +310,7 @@ namespace Umbraco.Web.Editors
         {
             // If this feature is switched off in configuration the UI will be amended to not make the request to reset password available.
             // So this is just a server-side secondary check.
-            if (_umbracoSettingsSection.Security.AllowPasswordReset == false)
+            if (_securitySettings.AllowPasswordReset == false)
             {
                 throw new HttpResponseException(HttpStatusCode.BadRequest);
             }
diff --git a/src/Umbraco.Web/Editors/BackOfficeController.cs b/src/Umbraco.Web/Editors/BackOfficeController.cs
index 4a8d441192..1a716298c9 100644
--- a/src/Umbraco.Web/Editors/BackOfficeController.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeController.cs
@@ -54,6 +54,7 @@ namespace Umbraco.Web.Editors
         private readonly IHostingEnvironment _hostingEnvironment;
         private readonly IHttpContextAccessor _httpContextAccessor;
         private readonly IRuntimeSettings _runtimeSettings;
+        private readonly ISecuritySettings _securitySettings;
 
         public BackOfficeController(
             IManifestParser manifestParser,
@@ -71,7 +72,8 @@ namespace Umbraco.Web.Editors
             TreeCollection treeCollection,
             IHostingEnvironment hostingEnvironment,
             IHttpContextAccessor httpContextAccessor,
-            IRuntimeSettings settings)
+            IRuntimeSettings settings,
+            ISecuritySettings securitySettings)
             : base(globalSettings, umbracoContextAccessor, services, appCaches, profilingLogger)
 
         {
@@ -86,6 +88,7 @@ namespace Umbraco.Web.Editors
             _hostingEnvironment = hostingEnvironment;
             _httpContextAccessor = httpContextAccessor;
             _runtimeSettings = settings;
+            _securitySettings = securitySettings;
         }
 
         protected BackOfficeSignInManager SignInManager => _signInManager ?? (_signInManager = OwinContext.GetBackOfficeSignInManager());
@@ -101,8 +104,8 @@ namespace Umbraco.Web.Editors
         public async Task<ActionResult> Default()
         {
             return await RenderDefaultOrProcessExternalLoginAsync(
-                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml", new BackOfficeModel(_features, GlobalSettings, _umbracoVersion, _umbracoSettingsSection,_ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings)),
-                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml", new BackOfficeModel(_features, GlobalSettings, _umbracoVersion, _umbracoSettingsSection, _ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings)));
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml", new BackOfficeModel(_features, GlobalSettings, _umbracoVersion, _umbracoSettingsSection,_ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings, _securitySettings)),
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml", new BackOfficeModel(_features, GlobalSettings, _umbracoVersion, _umbracoSettingsSection, _ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings, _securitySettings)));
         }
 
         [HttpGet]
@@ -185,7 +188,7 @@ namespace Umbraco.Web.Editors
         {
             return await RenderDefaultOrProcessExternalLoginAsync(
                 //The default view to render when there is no external login info or errors
-                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/AuthorizeUpgrade.cshtml", new BackOfficeModel(_features, GlobalSettings, _umbracoVersion, _umbracoSettingsSection, _ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings)),
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/AuthorizeUpgrade.cshtml", new BackOfficeModel(_features, GlobalSettings, _umbracoVersion, _umbracoSettingsSection, _ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings, _securitySettings)),
                 //The ActionResult to perform if external login is successful
                 () => Redirect("/"));
         }
@@ -292,7 +295,7 @@ namespace Umbraco.Web.Editors
         [MinifyJavaScriptResult(Order = 1)]
         public JavaScriptResult ServerVariables()
         {
-            var serverVars = new BackOfficeServerVariables(Url, _runtimeState, _features, GlobalSettings, _umbracoVersion, _umbracoSettingsSection, _ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings);
+            var serverVars = new BackOfficeServerVariables(Url, _runtimeState, _features, GlobalSettings, _umbracoVersion, _umbracoSettingsSection, _ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings, _securitySettings);
 
             //cache the result if debugging is disabled
             var result = _hostingEnvironment.IsDebugMode
diff --git a/src/Umbraco.Web/Editors/BackOfficeModel.cs b/src/Umbraco.Web/Editors/BackOfficeModel.cs
index f229f908d0..4ce3f111b4 100644
--- a/src/Umbraco.Web/Editors/BackOfficeModel.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeModel.cs
@@ -10,7 +10,10 @@ namespace Umbraco.Web.Editors
 
     public class BackOfficeModel
     {
-        public BackOfficeModel(UmbracoFeatures features, IGlobalSettings globalSettings, IUmbracoVersion umbracoVersion, IUmbracoSettingsSection umbracoSettingsSection, IIOHelper ioHelper, TreeCollection treeCollection, IHttpContextAccessor httpContextAccessor, IHostingEnvironment hostingEnvironment, IRuntimeSettings runtimeSettings)
+        public BackOfficeModel(UmbracoFeatures features, IGlobalSettings globalSettings, IUmbracoVersion umbracoVersion,
+            IUmbracoSettingsSection umbracoSettingsSection, IIOHelper ioHelper, TreeCollection treeCollection,
+            IHttpContextAccessor httpContextAccessor, IHostingEnvironment hostingEnvironment,
+            IRuntimeSettings runtimeSettings, ISecuritySettings securitySettings)
         {
             Features = features;
             GlobalSettings = globalSettings;
@@ -21,6 +24,7 @@ namespace Umbraco.Web.Editors
             HttpContextAccessor = httpContextAccessor;
             HostingEnvironment = hostingEnvironment;
             RuntimeSettings = runtimeSettings;
+            SecuritySettings = securitySettings;
         }
 
         public UmbracoFeatures Features { get; }
@@ -32,5 +36,6 @@ namespace Umbraco.Web.Editors
         public IHttpContextAccessor HttpContextAccessor { get; }
         public IHostingEnvironment HostingEnvironment { get; }
         public IRuntimeSettings RuntimeSettings { get; set; }
+        public ISecuritySettings SecuritySettings { get; set; }
     }
 }
diff --git a/src/Umbraco.Web/Editors/BackOfficePreviewModel.cs b/src/Umbraco.Web/Editors/BackOfficePreviewModel.cs
index e2ea9c3234..5dbfa62c65 100644
--- a/src/Umbraco.Web/Editors/BackOfficePreviewModel.cs
+++ b/src/Umbraco.Web/Editors/BackOfficePreviewModel.cs
@@ -14,8 +14,8 @@ namespace Umbraco.Web.Editors
         private readonly UmbracoFeatures _features;
         public IEnumerable<ILanguage> Languages { get; }
 
-        public BackOfficePreviewModel(UmbracoFeatures features, IGlobalSettings globalSettings, IUmbracoVersion umbracoVersion, IEnumerable<ILanguage> languages, IUmbracoSettingsSection umbracoSettingsSection, IIOHelper ioHelper, TreeCollection treeCollection, IHttpContextAccessor httpContextAccessor, IHostingEnvironment hostingEnvironment, IRuntimeSettings runtimeSettings)
-            : base(features, globalSettings, umbracoVersion, umbracoSettingsSection, ioHelper, treeCollection, httpContextAccessor, hostingEnvironment, runtimeSettings)
+        public BackOfficePreviewModel(UmbracoFeatures features, IGlobalSettings globalSettings, IUmbracoVersion umbracoVersion, IEnumerable<ILanguage> languages, IUmbracoSettingsSection umbracoSettingsSection, IIOHelper ioHelper, TreeCollection treeCollection, IHttpContextAccessor httpContextAccessor, IHostingEnvironment hostingEnvironment, IRuntimeSettings runtimeSettings, ISecuritySettings securitySettings)
+            : base(features, globalSettings, umbracoVersion, umbracoSettingsSection, ioHelper, treeCollection, httpContextAccessor, hostingEnvironment, runtimeSettings, securitySettings)
         {
             _features = features;
             Languages = languages;
diff --git a/src/Umbraco.Web/Editors/BackOfficeServerVariables.cs b/src/Umbraco.Web/Editors/BackOfficeServerVariables.cs
index 73264c6448..e12d1f3147 100644
--- a/src/Umbraco.Web/Editors/BackOfficeServerVariables.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeServerVariables.cs
@@ -39,6 +39,7 @@ namespace Umbraco.Web.Editors
         private readonly IHttpContextAccessor _httpContextAccessor;
         private readonly IHostingEnvironment _hostingEnvironment;
         private readonly IRuntimeSettings _settings;
+        private readonly ISecuritySettings _securitySettings;
 
         internal BackOfficeServerVariables(
             UrlHelper urlHelper,
@@ -51,7 +52,8 @@ namespace Umbraco.Web.Editors
             TreeCollection treeCollection,
             IHttpContextAccessor httpContextAccessor,
             IHostingEnvironment hostingEnvironment,
-            IRuntimeSettings settings)
+            IRuntimeSettings settings,
+            ISecuritySettings securitySettings)
         {
             _urlHelper = urlHelper;
             _runtimeState = runtimeState;
@@ -64,6 +66,7 @@ namespace Umbraco.Web.Editors
             _httpContextAccessor = httpContextAccessor;
             _hostingEnvironment = hostingEnvironment;
             _settings = settings;
+            _securitySettings = securitySettings;
         }
 
         /// <summary>
@@ -360,10 +363,10 @@ namespace Umbraco.Web.Editors
                             "maxFileSize",
                             GetMaxRequestLength()
                         },
-                        {"keepUserLoggedIn", _umbracoSettingsSection.Security.KeepUserLoggedIn},
-                        {"usernameIsEmail", _umbracoSettingsSection.Security.UsernameIsEmail},
+                        {"keepUserLoggedIn", _securitySettings.KeepUserLoggedIn},
+                        {"usernameIsEmail", _securitySettings.UsernameIsEmail},
                         {"cssPath", _ioHelper.ResolveUrl(globalSettings.UmbracoCssPath).TrimEnd('/')},
-                        {"allowPasswordReset", _umbracoSettingsSection.Security.AllowPasswordReset},
+                        {"allowPasswordReset", _securitySettings.AllowPasswordReset},
                         {"loginBackgroundImage",  _umbracoSettingsSection.Content.LoginBackgroundImage},
                         {"showUserInvite", EmailSender.CanSendRequiredEmail(globalSettings)},
                         {"canSendRequiredEmail", EmailSender.CanSendRequiredEmail(globalSettings)},
diff --git a/src/Umbraco.Web/Editors/PreviewController.cs b/src/Umbraco.Web/Editors/PreviewController.cs
index 0ed31e3972..1faab27b77 100644
--- a/src/Umbraco.Web/Editors/PreviewController.cs
+++ b/src/Umbraco.Web/Editors/PreviewController.cs
@@ -37,6 +37,7 @@ namespace Umbraco.Web.Editors
         private readonly IHostingEnvironment _hostingEnvironment;
         private readonly ICookieManager _cookieManager;
         private IRuntimeSettings _runtimeSettings;
+        private readonly ISecuritySettings _securitySettings;
 
         public PreviewController(
             UmbracoFeatures features,
@@ -51,7 +52,8 @@ namespace Umbraco.Web.Editors
             IHttpContextAccessor httpContextAccessor,
             IHostingEnvironment hostingEnvironment,
             ICookieManager cookieManager,
-            IRuntimeSettings settings)
+            IRuntimeSettings settings,
+            ISecuritySettings securitySettings)
         {
             _features = features;
             _globalSettings = globalSettings;
@@ -66,6 +68,7 @@ namespace Umbraco.Web.Editors
             _hostingEnvironment = hostingEnvironment;
             _cookieManager = cookieManager;
             _runtimeSettings = settings;
+            _securitySettings = securitySettings;
         }
 
         [UmbracoAuthorize(redirectToUmbracoLogin: true)]
@@ -74,7 +77,7 @@ namespace Umbraco.Web.Editors
         {
             var availableLanguages = _localizationService.GetAllLanguages();
 
-            var model = new BackOfficePreviewModel(_features, _globalSettings, _umbracoVersion, availableLanguages, _umbracoSettingsSection, _ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings);
+            var model = new BackOfficePreviewModel(_features, _globalSettings, _umbracoVersion, availableLanguages, _umbracoSettingsSection, _ioHelper, _treeCollection, _httpContextAccessor, _hostingEnvironment, _runtimeSettings, _securitySettings);
 
             if (model.PreviewExtendedHeaderView.IsNullOrWhiteSpace() == false)
             {
diff --git a/src/Umbraco.Web/Editors/UsersController.cs b/src/Umbraco.Web/Editors/UsersController.cs
index 0aa63a1e16..d2e8514b3b 100644
--- a/src/Umbraco.Web/Editors/UsersController.cs
+++ b/src/Umbraco.Web/Editors/UsersController.cs
@@ -50,6 +50,7 @@ namespace Umbraco.Web.Editors
         private readonly IIOHelper _ioHelper;
         private readonly ISqlContext _sqlContext;
         private readonly IImageUrlGenerator _imageUrlGenerator;
+        private readonly ISecuritySettings _securitySettings;
 
         public UsersController(
             IGlobalSettings globalSettings,
@@ -65,7 +66,8 @@ namespace Umbraco.Web.Editors
             IUmbracoSettingsSection umbracoSettingsSection,
             IIOHelper ioHelper,
             IImageUrlGenerator imageUrlGenerator,
-            IPublishedUrlProvider publishedUrlProvider)
+            IPublishedUrlProvider publishedUrlProvider,
+            ISecuritySettings securitySettings)
             : base(globalSettings, umbracoContextAccessor, sqlContext, services, appCaches, logger, runtimeState, shortStringHelper, umbracoMapper, publishedUrlProvider)
         {
             _mediaFileSystem = mediaFileSystem;
@@ -73,6 +75,7 @@ namespace Umbraco.Web.Editors
             _ioHelper = ioHelper;
             _sqlContext = sqlContext;
             _imageUrlGenerator = imageUrlGenerator;
+            _securitySettings = securitySettings;
         }
 
         /// <summary>
@@ -230,7 +233,7 @@ namespace Umbraco.Web.Editors
             // so to do that here, we'll need to check if this current user is an admin and if not we should exclude all user who are
             // also admins
 
-            var hideDisabledUsers = _umbracoSettingsSection.Security.HideDisabledUsersInBackoffice;
+            var hideDisabledUsers = _securitySettings.HideDisabledUsersInBackoffice;
             var excludeUserGroups = new string[0];
             var isAdmin = Security.CurrentUser.IsAdmin();
             if (isAdmin == false)
@@ -288,7 +291,7 @@ namespace Umbraco.Web.Editors
                 throw new HttpResponseException(Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState));
             }
 
-            if (_umbracoSettingsSection.Security.UsernameIsEmail)
+            if (_securitySettings.UsernameIsEmail)
             {
                 //ensure they are the same if we're using it
                 userSave.Username = userSave.Email;
@@ -380,7 +383,7 @@ namespace Umbraco.Web.Editors
             }
 
             IUser user;
-            if (_umbracoSettingsSection.Security.UsernameIsEmail)
+            if (_securitySettings.UsernameIsEmail)
             {
                 //ensure it's the same
                 userSave.Username = userSave.Email;
@@ -454,7 +457,7 @@ namespace Umbraco.Web.Editors
             if (user != null && (extraCheck == null || extraCheck(user)))
             {
                 ModelState.AddModelError(
-                    _umbracoSettingsSection.Security.UsernameIsEmail ? "Email" : "Username",
+                    _securitySettings.UsernameIsEmail ? "Email" : "Username",
                     "A user with the username already exists");
                 throw new HttpResponseException(Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState));
             }
@@ -574,7 +577,7 @@ namespace Umbraco.Web.Editors
 
             // if the found user has their email for username, we want to keep this synced when changing the email.
             // we have already cross-checked above that the email isn't colliding with anything, so we can safely assign it here.
-            if (_umbracoSettingsSection.Security.UsernameIsEmail && found.Username == found.Email && userSave.Username != userSave.Email)
+            if (_securitySettings.UsernameIsEmail && found.Username == found.Email && userSave.Username != userSave.Email)
             {
                 userSave.Username = userSave.Email;
             }
diff --git a/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs b/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
index 14cc205fef..49b77027da 100644
--- a/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
+++ b/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
@@ -40,9 +40,9 @@ namespace Umbraco.Web
         /// These are the bare minimal server variables that are required for the application to start without being authenticated,
         /// we will load the rest of the server vars after the user is authenticated.
         /// </remarks>
-        public static IHtmlString BareMinimumServerVariablesScript(this HtmlHelper html, UrlHelper uri, string externalLoginsUrl, UmbracoFeatures features, IGlobalSettings globalSettings, IUmbracoVersion umbracoVersion, IUmbracoSettingsSection umbracoSettingsSection, IIOHelper ioHelper, TreeCollection treeCollection, IHttpContextAccessor httpContextAccessor, IHostingEnvironment hostingEnvironment, IRuntimeSettings settings)
+        public static IHtmlString BareMinimumServerVariablesScript(this HtmlHelper html, UrlHelper uri, string externalLoginsUrl, UmbracoFeatures features, IGlobalSettings globalSettings, IUmbracoVersion umbracoVersion, IUmbracoSettingsSection umbracoSettingsSection, IIOHelper ioHelper, TreeCollection treeCollection, IHttpContextAccessor httpContextAccessor, IHostingEnvironment hostingEnvironment, IRuntimeSettings settings, ISecuritySettings securitySettings)
         {
-            var serverVars = new BackOfficeServerVariables(uri, Current.RuntimeState, features, globalSettings, umbracoVersion, umbracoSettingsSection, ioHelper, treeCollection, httpContextAccessor, hostingEnvironment, settings);
+            var serverVars = new BackOfficeServerVariables(uri, Current.RuntimeState, features, globalSettings, umbracoVersion, umbracoSettingsSection, ioHelper, treeCollection, httpContextAccessor, hostingEnvironment, settings, securitySettings);
             var minVars = serverVars.BareMinimumServerVariables();
 
             var str = @"<script type=""text/javascript"">
diff --git a/src/Umbraco.Web/Install/InstallSteps/NewInstallStep.cs b/src/Umbraco.Web/Install/InstallSteps/NewInstallStep.cs
index e47a8f4b5f..f5a2ca8ac8 100644
--- a/src/Umbraco.Web/Install/InstallSteps/NewInstallStep.cs
+++ b/src/Umbraco.Web/Install/InstallSteps/NewInstallStep.cs
@@ -32,18 +32,18 @@ namespace Umbraco.Web.Install.InstallSteps
         private static HttpClient _httpClient;
         private readonly IGlobalSettings _globalSettings;
         private readonly IUserPasswordConfiguration _passwordConfiguration;
-        private readonly IUmbracoSettingsSection _umbracoSettingsSection;
+        private readonly ISecuritySettings _securitySettings;
         private readonly IConnectionStrings _connectionStrings;
         private readonly ICookieManager _cookieManager;
 
-        public NewInstallStep(IHttpContextAccessor httpContextAccessor, IUserService userService, DatabaseBuilder databaseBuilder, IGlobalSettings globalSettings, IUserPasswordConfiguration passwordConfiguration, IUmbracoSettingsSection umbracoSettingsSection, IConnectionStrings connectionStrings, ICookieManager cookieManager)
+        public NewInstallStep(IHttpContextAccessor httpContextAccessor, IUserService userService, DatabaseBuilder databaseBuilder, IGlobalSettings globalSettings, IUserPasswordConfiguration passwordConfiguration, ISecuritySettings securitySettings, IConnectionStrings connectionStrings, ICookieManager cookieManager)
         {
             _httpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
             _userService = userService ?? throw new ArgumentNullException(nameof(userService));
             _databaseBuilder = databaseBuilder ?? throw new ArgumentNullException(nameof(databaseBuilder));
             _globalSettings = globalSettings ?? throw new ArgumentNullException(nameof(globalSettings));
             _passwordConfiguration = passwordConfiguration ?? throw new ArgumentNullException(nameof(passwordConfiguration));
-            _umbracoSettingsSection = umbracoSettingsSection ?? throw new ArgumentNullException(nameof(umbracoSettingsSection));
+            _securitySettings = securitySettings ?? throw new ArgumentNullException(nameof(securitySettings));
             _connectionStrings = connectionStrings ?? throw new ArgumentNullException(nameof(connectionStrings));
             _cookieManager = cookieManager;
         }
@@ -136,7 +136,7 @@ namespace Umbraco.Web.Install.InstallSteps
 
             // In this one case when it's a brand new install and nothing has been configured, make sure the
             // back office cookie is cleared so there's no old cookies lying around causing problems
-            _cookieManager.ExpireCookie(_umbracoSettingsSection.Security.AuthCookieName);
+            _cookieManager.ExpireCookie(_securitySettings.AuthCookieName);
 
                 return true;
         }
diff --git a/src/Umbraco.Web/Security/AppBuilderExtensions.cs b/src/Umbraco.Web/Security/AppBuilderExtensions.cs
index 041b56f1c8..220336a2ad 100644
--- a/src/Umbraco.Web/Security/AppBuilderExtensions.cs
+++ b/src/Umbraco.Web/Security/AppBuilderExtensions.cs
@@ -142,7 +142,7 @@ namespace Umbraco.Web.Security
         /// <param name="runtimeState"></param>
         /// <param name="userService"></param>
         /// <param name="globalSettings"></param>
-        /// <param name="securitySection"></param>
+        /// <param name="securitySettings"></param>
         /// <returns></returns>
         /// <remarks>
         /// By default this will be configured to execute on PipelineStage.Authenticate
@@ -152,12 +152,12 @@ namespace Umbraco.Web.Security
             IRuntimeState runtimeState,
             IUserService userService,
             IGlobalSettings globalSettings,
-            ISecuritySection securitySection,
+            ISecuritySettings securitySettings,
             IIOHelper ioHelper,
             IRequestCache requestCache,
             IUmbracoSettingsSection umbracoSettingsSection)
         {
-            return app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, userService, globalSettings, securitySection, ioHelper, requestCache, PipelineStage.Authenticate, umbracoSettingsSection);
+            return app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, userService, globalSettings, securitySettings, ioHelper, requestCache, PipelineStage.Authenticate);
         }
 
         /// <summary>
@@ -168,7 +168,7 @@ namespace Umbraco.Web.Security
         /// <param name="runtimeState"></param>
         /// <param name="userService"></param>
         /// <param name="globalSettings"></param>
-        /// <param name="securitySection"></param>
+        /// <param name="securitySettings"></param>
         /// <param name="ioHelper"></param>
         /// <param name="stage">
         /// Configurable pipeline stage
@@ -179,16 +179,15 @@ namespace Umbraco.Web.Security
             IRuntimeState runtimeState,
             IUserService userService,
             IGlobalSettings globalSettings,
-            ISecuritySection securitySection,
+            ISecuritySettings securitySettings,
             IIOHelper ioHelper,
             IRequestCache requestCache,
-            PipelineStage stage,
-            IUmbracoSettingsSection umbracoSettingsSection)
+            PipelineStage stage)
         {
             //Create the default options and provider
-            var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySection, ioHelper, requestCache);
+            var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySettings, ioHelper, requestCache);
 
-            authOptions.Provider = new BackOfficeCookieAuthenticationProvider(userService, runtimeState, globalSettings, ioHelper, umbracoSettingsSection)
+            authOptions.Provider = new BackOfficeCookieAuthenticationProvider(userService, runtimeState, globalSettings, ioHelper, securitySettings)
             {
                 // Enables the application to validate the security stamp when the user
                 // logs in. This is a security feature which is used when you
@@ -201,7 +200,7 @@ namespace Umbraco.Web.Security
 
             };
 
-            return app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySection, ioHelper, requestCache, authOptions, stage);
+            return app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySettings, ioHelper, requestCache, authOptions, stage);
         }
 
         /// <summary>
@@ -211,7 +210,7 @@ namespace Umbraco.Web.Security
         /// <param name="umbracoContextAccessor"></param>
         /// <param name="runtimeState"></param>
         /// <param name="globalSettings"></param>
-        /// <param name="securitySection"></param>
+        /// <param name="securitySettings"></param>
         /// <param name="ioHelper"></param>
         /// <param name="cookieOptions">Custom auth cookie options can be specified to have more control over the cookie authentication logic</param>
         /// <param name="stage">
@@ -219,7 +218,7 @@ namespace Umbraco.Web.Security
         /// </param>
         /// <returns></returns>
         public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings,
-            ISecuritySection securitySection, IIOHelper ioHelper, IRequestCache requestCache, CookieAuthenticationOptions cookieOptions, PipelineStage stage)
+            ISecuritySettings securitySettings, IIOHelper ioHelper, IRequestCache requestCache, CookieAuthenticationOptions cookieOptions, PipelineStage stage)
         {
             if (app == null) throw new ArgumentNullException(nameof(app));
             if (runtimeState == null) throw new ArgumentNullException(nameof(runtimeState));
@@ -235,7 +234,7 @@ namespace Umbraco.Web.Security
             if (runtimeState.Level != RuntimeLevel.Upgrade && runtimeState.Level != RuntimeLevel.Run) return app;
 
             var cookieAuthOptions = app.CreateUmbracoCookieAuthOptions(
-                umbracoContextAccessor, globalSettings, runtimeState, securitySection,
+                umbracoContextAccessor, globalSettings, runtimeState, securitySettings,
                 //This defines the explicit path read cookies from for this middleware
                 ioHelper, requestCache, new[] {$"{globalSettings.Path}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds"});
             cookieAuthOptions.Provider = cookieOptions.Provider;
@@ -244,7 +243,7 @@ namespace Umbraco.Web.Security
             app.Use<GetUserSecondsMiddleWare>(
                 cookieAuthOptions,
                 Current.Configs.Global(),
-                Current.Configs.Settings().Security,
+                Current.Configs.Security(),
                 app.CreateLogger<GetUserSecondsMiddleWare>());
 
             //This is required so that we can read the auth ticket format outside of this pipeline
@@ -350,7 +349,7 @@ namespace Umbraco.Web.Security
                 CookiePath = "/",
                 CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest,
                 CookieHttpOnly = true,
-                CookieDomain = Current.Configs.Settings().Security.AuthCookieDomain
+                CookieDomain = Current.Configs.Security().AuthCookieDomain
             }, stage);
 
             return app;
@@ -373,7 +372,7 @@ namespace Umbraco.Web.Security
         /// <remarks>
         /// By default this will be configured to execute on PipelineStage.PostAuthenticate
         /// </remarks>
-        public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySection securitySettings, IIOHelper ioHelper, IRequestCache requestCache)
+        public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySettings securitySettings, IIOHelper ioHelper, IRequestCache requestCache)
         {
             return app.UseUmbracoPreviewAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySettings, ioHelper, requestCache, PipelineStage.PostAuthenticate);
         }
@@ -393,7 +392,7 @@ namespace Umbraco.Web.Security
         /// This ensures that during a preview request that the back office use is also Authenticated and that the back office Identity
         /// is added as a secondary identity to the current IPrincipal so it can be used to Authorize the previewed document.
         /// </remarks>
-        public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySection securitySettings, IIOHelper ioHelper, IRequestCache requestCache, PipelineStage stage)
+        public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySettings securitySettings, IIOHelper ioHelper, IRequestCache requestCache, PipelineStage stage)
         {
             if (runtimeState.Level != RuntimeLevel.Run) return app;
 
@@ -428,7 +427,7 @@ namespace Umbraco.Web.Security
         /// <returns></returns>
         public static UmbracoBackOfficeCookieAuthOptions CreateUmbracoCookieAuthOptions(this IAppBuilder app,
             IUmbracoContextAccessor umbracoContextAccessor,
-            IGlobalSettings globalSettings, IRuntimeState runtimeState, ISecuritySection securitySettings, IIOHelper ioHelper, IRequestCache requestCache, string[] explicitPaths = null)
+            IGlobalSettings globalSettings, IRuntimeState runtimeState, ISecuritySettings securitySettings, IIOHelper ioHelper, IRequestCache requestCache, string[] explicitPaths = null)
         {
             //this is how aspnet wires up the default AuthenticationTicket protector so we'll use the same code
             var ticketDataFormat = new TicketDataFormat(
diff --git a/src/Umbraco.Web/Security/AuthenticationExtensions.cs b/src/Umbraco.Web/Security/AuthenticationExtensions.cs
index 1fd8e45c55..ef3140bf6b 100644
--- a/src/Umbraco.Web/Security/AuthenticationExtensions.cs
+++ b/src/Umbraco.Web/Security/AuthenticationExtensions.cs
@@ -144,7 +144,7 @@ namespace Umbraco.Web.Security
         public static void UmbracoLogout(this HttpContextBase http)
         {
             if (http == null) throw new ArgumentNullException("http");
-            Logout(http, Current.Configs.Settings().Security.AuthCookieName);
+            Logout(http, Current.Configs.Security().AuthCookieName);
         }
 
         /// <summary>
@@ -202,7 +202,7 @@ namespace Umbraco.Web.Security
         public static AuthenticationTicket GetUmbracoAuthTicket(this HttpContextBase http)
         {
             if (http == null) throw new ArgumentNullException(nameof(http));
-            return GetAuthTicket(http, Current.Configs.Settings().Security.AuthCookieName);
+            return GetAuthTicket(http, Current.Configs.Security().AuthCookieName);
         }
 
         internal static AuthenticationTicket GetUmbracoAuthTicket(this HttpContext http)
@@ -214,7 +214,7 @@ namespace Umbraco.Web.Security
         public static AuthenticationTicket GetUmbracoAuthTicket(this IOwinContext ctx)
         {
             if (ctx == null) throw new ArgumentNullException(nameof(ctx));
-            return GetAuthTicket(ctx, Current.Configs.Settings().Security.AuthCookieName);
+            return GetAuthTicket(ctx, Current.Configs.Security().AuthCookieName);
         }
 
         /// <summary>
diff --git a/src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs b/src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs
index c0390da40a..59b20bdd75 100644
--- a/src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs
+++ b/src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs
@@ -20,15 +20,15 @@ namespace Umbraco.Web.Security
         private readonly IRuntimeState _runtimeState;
         private readonly IGlobalSettings _globalSettings;
         private readonly IIOHelper _ioHelper;
-        private readonly IUmbracoSettingsSection _umbracoSettingsSection;
+        private readonly ISecuritySettings _securitySettings;
 
-        public BackOfficeCookieAuthenticationProvider(IUserService userService, IRuntimeState runtimeState, IGlobalSettings globalSettings, IIOHelper ioHelper, IUmbracoSettingsSection umbracoSettingsSection)
+        public BackOfficeCookieAuthenticationProvider(IUserService userService, IRuntimeState runtimeState, IGlobalSettings globalSettings, IIOHelper ioHelper, ISecuritySettings securitySettings)
         {
             _userService = userService;
             _runtimeState = runtimeState;
             _globalSettings = globalSettings;
             _ioHelper = ioHelper;
-            _umbracoSettingsSection = umbracoSettingsSection;
+            _securitySettings = securitySettings;
         }
 
         public override void ResponseSignIn(CookieResponseSignInContext context)
@@ -72,7 +72,7 @@ namespace Umbraco.Web.Security
                 Expires = DateTime.Now.AddYears(-1),
                 Path = "/"
             });
-            context.Response.Cookies.Append(_umbracoSettingsSection.Security.AuthCookieName, "", new CookieOptions
+            context.Response.Cookies.Append(_securitySettings.AuthCookieName, "", new CookieOptions
             {
                 Expires = DateTime.Now.AddYears(-1),
                 Path = "/"
diff --git a/src/Umbraco.Web/Security/GetUserSecondsMiddleWare.cs b/src/Umbraco.Web/Security/GetUserSecondsMiddleWare.cs
index 8da8ad23f8..7c1c4c558c 100644
--- a/src/Umbraco.Web/Security/GetUserSecondsMiddleWare.cs
+++ b/src/Umbraco.Web/Security/GetUserSecondsMiddleWare.cs
@@ -24,14 +24,14 @@ namespace Umbraco.Web.Security
     {
         private readonly UmbracoBackOfficeCookieAuthOptions _authOptions;
         private readonly IGlobalSettings _globalSettings;
-        private readonly ISecuritySection _security;
+        private readonly ISecuritySettings _security;
         private readonly ILogger _logger;
 
         public GetUserSecondsMiddleWare(
             OwinMiddleware next,
             UmbracoBackOfficeCookieAuthOptions authOptions,
             IGlobalSettings globalSettings,
-            ISecuritySection security,
+            ISecuritySettings security,
             ILogger logger)
             : base(next)
         {
diff --git a/src/Umbraco.Web/Security/UmbracoBackOfficeCookieAuthOptions.cs b/src/Umbraco.Web/Security/UmbracoBackOfficeCookieAuthOptions.cs
index d8c4ca791d..836c0bb53a 100644
--- a/src/Umbraco.Web/Security/UmbracoBackOfficeCookieAuthOptions.cs
+++ b/src/Umbraco.Web/Security/UmbracoBackOfficeCookieAuthOptions.cs
@@ -20,7 +20,7 @@ namespace Umbraco.Web.Security
         public UmbracoBackOfficeCookieAuthOptions(
             string[] explicitPaths,
             IUmbracoContextAccessor umbracoContextAccessor,
-            ISecuritySection securitySection,
+            ISecuritySettings securitySettings,
             IGlobalSettings globalSettings,
             IRuntimeState runtimeState,
             ISecureDataFormat<AuthenticationTicket> secureDataFormat,
@@ -33,8 +33,8 @@ namespace Umbraco.Web.Security
 
             SlidingExpiration = true;
             ExpireTimeSpan = TimeSpan.FromMinutes(LoginTimeoutMinutes);
-            CookieDomain = securitySection.AuthCookieDomain;
-            CookieName = securitySection.AuthCookieName;
+            CookieDomain = securitySettings.AuthCookieDomain;
+            CookieName = securitySettings.AuthCookieName;
             CookieHttpOnly = true;
             CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest;
             CookiePath = "/";
diff --git a/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs b/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs
index a30f77b217..f7a784875e 100644
--- a/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs
+++ b/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs
@@ -29,6 +29,7 @@ namespace Umbraco.Web
         protected IUmbracoContextAccessor UmbracoContextAccessor => Current.UmbracoContextAccessor;
         protected IGlobalSettings GlobalSettings => Current.Configs.Global();
         protected IUmbracoSettingsSection UmbracoSettings => Current.Configs.Settings();
+        protected ISecuritySettings SecuritySettings => Current.Configs.Security();
         protected IUserPasswordConfiguration UserPasswordConfig => Current.Configs.UserPasswordConfiguration();
         protected IRuntimeState RuntimeState => Current.RuntimeState;
         protected ServiceContext Services => Current.Services;
@@ -104,9 +105,9 @@ namespace Umbraco.Web
             // Ensure owin is configured for Umbraco back office authentication.
             // Front-end OWIN cookie configuration must be declared after this code.
             app
-                .UseUmbracoBackOfficeCookieAuthentication(UmbracoContextAccessor, RuntimeState, Services.UserService, GlobalSettings, UmbracoSettings.Security, IOHelper, RequestCache, PipelineStage.Authenticate, UmbracoSettings)
+                .UseUmbracoBackOfficeCookieAuthentication(UmbracoContextAccessor, RuntimeState, Services.UserService, GlobalSettings, SecuritySettings, IOHelper, RequestCache, PipelineStage.Authenticate)
                 .UseUmbracoBackOfficeExternalCookieAuthentication(UmbracoContextAccessor, RuntimeState, GlobalSettings, IOHelper, RequestCache, PipelineStage.Authenticate)
-                .UseUmbracoPreviewAuthentication(UmbracoContextAccessor, RuntimeState, GlobalSettings, UmbracoSettings.Security, IOHelper, RequestCache, PipelineStage.Authorize);
+                .UseUmbracoPreviewAuthentication(UmbracoContextAccessor, RuntimeState, GlobalSettings, SecuritySettings, IOHelper, RequestCache, PipelineStage.Authorize);
         }
 
         public static event EventHandler<OwinMiddlewareConfiguredEventArgs> MiddlewareConfigured;