Authentication Security

User Authentication

Password Requirements

• Minimum 12 characters
• Mix of uppercase, lowercase, numbers
• Hashed with Argon2id

JWT Tokens

• Access tokens: 15 minutes
• Refresh tokens: 7 days
• Stored in HttpOnly cookies

Session Management

• Token revocation on logout
• Automatic refresh
• Concurrent session limit

Multi-Factor Authentication

TOTP (Time-Based One-Time Password)

1. User initiates setup
2. Server generates secret
3. QR code displayed
4. User scans with authenticator app
5. Verify with test code
6. Backup codes provided

WebAuthn

Hardware security keys and biometrics:

• YubiKey support
• Touch ID / Windows Hello
• Platform authenticators

Account Protection

Brute Force Prevention

• 5 failed attempts: 10 minute lockout
• 10 failed attempts: 1 hour lockout
• Lockouts are per-account and per-IP

Rate Limiting

• Login: 5 requests/minute
• API: 60 requests/minute

Best Practices

1. Enable MFA for all admin accounts
2. Use strong, unique passwords
3. Rotate credentials regularly
4. Monitor login attempts
5. Review active sessions