Authentication Security

Multi-factor authentication with industry-standard protocols.

JWT Tokens

  • Algorithm: HS256 (HMAC-SHA256)
  • Expiry: 24 hours (configurable)
  • Claims: UserID, Email, OrgID, Role, SessionID
  • Signing Key: 32+ byte secret from JWT_SECRET

OAuth 2.0

  • PKCE flow for enhanced security
  • State parameter for CSRF protection
  • Providers: Google, GitHub, GitLab

Two-Factor Authentication

  • TOTP: Time-based OTP (Google Authenticator compatible)
  • Email: Secure code delivery with rate limiting
  • Backup Codes: AES-256-GCM encrypted, single-use

Password Security

  • Hashing: bcrypt with default cost
  • Minimum length: 8 characters
  • Reset: OTP-verified password changes
← Overview Encryption →