Authentication Overview
QoBooks implements a robust authentication and security system to protect your business data and ensure secure access for authorized users.
Authentication Methods
Email & Password
- The primary authentication method for most users
- Users register with their email address and create a secure password
- Passwords are hashed using industry-standard encryption
- Supports password complexity requirements
Multi-Factor Authentication (MFA)
- Optional additional security layer
- Available via SMS verification codes
- Can be enabled per user or organization-wide
- Recommended for admin accounts and sensitive operations
Session Management
- Secure session tokens with configurable expiration
- Automatic session timeout after inactivity
- "Remember Me" option for trusted devices
- Session invalidation on password change
Account Verification
Email Verification
- Required for new account activation
- 6-digit verification code sent via email
- Code expires after 10 minutes for security
- Resend option available after 60 seconds
SMS Verification
- Alternative verification method
- 6-digit code sent to registered phone number
- Useful for users without reliable email access
- Same security features as email verification
Security Features
Password Requirements
- Minimum 8 characters
- Must include uppercase and lowercase letters
- Must include at least one number
- Optional special character requirement
- Prevents common password usage
Account Lockout
- Automatic lockout after multiple failed login attempts
- Configurable lockout duration (default: 15 minutes)
- Admin can manually unlock accounts
- Prevents brute-force attacks
IP-Based Restrictions
- Optional IP whitelisting for organization accounts
- Restrict access to specific IP ranges
- Useful for corporate environments
- Configured in organization settings
User Sessions
Login Process
- User enters email and password
- System validates credentials
- If valid, creates secure session
- Redirects to dashboard or last visited page
- Session token stored in secure HTTP-only cookie
Session Expiration
- Default session timeout: 2 hours of inactivity
- Configurable per organization
- "Remember Me" extends to 30 days
- Warning before session expiration
Logout
- Explicit logout button in user menu
- Clears session token from server
- Removes session cookie from browser
- Redirects to login page
Access Control
Organization-Based Access
- Each user belongs to a specific organization
- Users can only access data within their organization
- Prevents cross-organization data leakage
- Enforced at database level
Branch-Based Access
- Multi-branch organizations can restrict access by branch
- Users assigned to specific branches
- Can view and manage only assigned branch data
- Configured in user settings
Role-Based Permissions
- Hierarchical permission system
- Granular control over module access
- Custom roles can be created
- Permissions inherited from parent roles
Security Best Practices
For Users
- Use strong, unique passwords
- Enable MFA when available
- Don't share credentials
- Log out from shared devices
- Report suspicious activity immediately
For Administrators
- Enforce password policies
- Regularly review user access
- Remove inactive user accounts
- Monitor login attempts
- Keep software updated
For Organizations
- Implement IP restrictions if needed
- Use SSL/TLS for all connections
- Regular security audits
- Backup and disaster recovery plan
- Employee security training
Account Recovery
Forgot Password
- Self-service password reset
- Verification required via email or SMS
- Temporary reset link sent to verified contact
- Link expires after 1 hour
- Forces password change on next login
Account Lockout
- Automatic after failed login attempts
- Admin can unlock via user management
- User can request unlock via support
- Time-based automatic unlock
Account Reactivation
- Suspended accounts can be reactivated
- Requires admin approval
- May require re-verification
- Audit trail maintained
Security Headers and Cookies
HTTP-Only Cookies
- Session cookies marked as HTTP-only
- Prevents JavaScript access
- Reduces XSS attack risk
- Secure flag for HTTPS connections
CSRF Protection
- Cross-Site Request Forgery tokens
- Validated on form submissions
- Automatic token generation
- Prevents unauthorized form submissions
Content Security Policy
- Restricts resource loading
- Prevents code injection attacks
- Configurable per organization
- Default strict policy
Audit Logging
Login Events
- Successful logins with timestamp
- Failed login attempts
- IP address and device information
- Geographic location (when available)
Access Events
- Page access logs
- Module access tracking
- Data modification events
- Export/download activities
Security Events
- Password changes
- Permission modifications
- Account lockouts/unlocks
- MFA enable/disable
Troubleshooting
Cannot Log In
- Verify correct email and password
- Check if account is locked
- Use "Forgot Password" if needed
- Clear browser cache and cookies
- Try different browser
Verification Code Not Received
- Check spam/junk folder
- Verify contact information is correct
- Request new code after cooldown
- Try alternative verification method
- Contact support if issue persists
Session Expiring Too Quickly
- Check organization session settings
- Disable "Remember Me" if not needed
- Ensure stable internet connection
- Contact admin if settings seem incorrect
Account Locked
- Wait for automatic unlock (15 minutes)
- Contact administrator for manual unlock
- Use "Forgot Password" to reset
- Contact support if issue persists