When to use it
- Daily staff sign-in on the desktop app or mobile PWA.
- Sign in with a one-time authenticator code when MFA is enabled.
- Set up MFA (scan a QR code, save backup codes) from Settings.
- Sign in via your company identity provider when the tenant admin has configured SSO.
- Review and revoke your own active sessions, and view login history.
Password sign-in
Email + password (passwords are bcrypt-hashed). Sessions use RSA-signed tokens carrying your tenant, role, and permissions — an access token (8-hour lifetime) plus a rotating refresh token (7 days). SSO-only accounts can’t use the password path.Multi-factor authentication (TOTP)
Enable MFA from Settings: scan the QR code into an authenticator app and save your one-time backup codes. At login you’ll enter a 6-digit code (or a backup code). If a tenant requires MFA and you haven’t set it up yet, you’re routed to setup on your next sign-in.You can’t disable your own MFA — if you lose your authenticator and backup
codes, an admin resets it for you.
Sessions
View your active sessions, revoke any of them, and review login history (each attempt is logged with IP, device, and outcome).Single sign-on (SSO)
Tenants can configure Microsoft 365 / Entra, Google Workspace, or a generic OIDC provider (OAuth 2.0 with PKCE). Optionally, SSO can auto-provision a new user with a default role on first sign-in.Good to know
- The login response is the same whether or not an email exists, and attempts are logged — sign-in can’t be used to probe for accounts.
- Access is enforced by role permissions throughout the app (see Roles & permissions).
