[{"data":1,"prerenderedAt":818},["ShallowReactive",2],{"guide:en:authentication":3},{"id":4,"title":5,"body":6,"description":810,"extension":811,"meta":812,"navigation":813,"path":814,"seo":815,"stem":816,"__hash__":817},"guide_en/en/user/authentication/index.md","Authentication — Login Methods and Account Security",{"type":7,"value":8,"toc":788},"minimark",[9,14,18,23,34,37,43,56,61,72,78,89,93,98,116,121,138,143,157,162,175,179,184,198,204,215,220,234,238,247,251,256,275,280,294,298,303,320,325,333,339,352,363,373,377,382,399,404,418,423,463,468,482,486,491,506,511,522,526,531,536,559,563,567,582,586,590,603,607,611,625,629,633,651,655,660,680,688,704,708,713,724,729,740,745,756,761,772,777],[10,11,13],"h1",{"id":12},"authentication","Authentication",[15,16,17],"p",{},"Authentication verifies who you are before granting access to Aptli. Aptli supports username/password login, OAuth single sign-on (Google, GitHub, Microsoft, or your organization's single-sign-on provider), and two-factor authentication. This section covers how to use and configure each method, manage account locks, and handle password resets.",[19,20,22],"h2",{"id":21},"active-login-methods","Active Login Methods",[15,24,25,30],{},[26,27],"img",{"alt":28,"src":29},"Login Page","/guide/authentication/login-page.png",[31,32,33],"em",{},"Login page showing available authentication methods including OAuth providers",[15,35,36],{},"Configure which authentication methods are available:",[15,38,39],{},[40,41,42],"strong",{},"Username/Password (Default):",[44,45,46,50,53],"ul",{},[47,48,49],"li",{},"Email + password combination",[47,51,52],{},"Password requirements: minimum 8 characters, complexity rules",[47,54,55],{},"Automatic logout after inactivity (configurable, default 1 day)",[15,57,58],{},[40,59,60],{},"OAuth Providers:",[44,62,63,66,69],{},[47,64,65],{},"GitHub OAuth",[47,67,68],{},"Google OAuth",[47,70,71],{},"Additional providers configurable (contact support)",[15,73,74,77],{},[40,75,76],{},"Configuration:","\nNavigate to App Settings → Authentication → Active Login Methods",[44,79,80,83,86],{},[47,81,82],{},"At least one method must be enabled",[47,84,85],{},"Multiple methods can be active simultaneously",[47,87,88],{},"Users choose preferred method at login screen",[19,90,92],{"id":91},"two-factor-authentication-2fa","Two-Factor Authentication (2FA)",[15,94,95],{},[40,96,97],{},"Enabling 2FA:",[99,100,101,104,107,110,113],"ol",{},[47,102,103],{},"Navigate to user profile",[47,105,106],{},"Click \"Enable Two-Factor Authentication\"",[47,108,109],{},"Scan QR code with authenticator app (Google Authenticator, Authy, etc.)",[47,111,112],{},"Enter 6-digit code to confirm",[47,114,115],{},"Save recovery codes (in case phone lost)",[15,117,118],{},[40,119,120],{},"Login with 2FA:",[99,122,123,126,129,132,135],{},[47,124,125],{},"Enter email and password (or OAuth)",[47,127,128],{},"System prompts for 6-digit code",[47,130,131],{},"Open authenticator app",[47,133,134],{},"Enter current code (refreshes every 30 seconds)",[47,136,137],{},"Access granted",[15,139,140],{},[40,141,142],{},"Recovery Codes:",[44,144,145,148,151,154],{},[47,146,147],{},"10 one-time-use codes generated at 2FA setup",[47,149,150],{},"Store securely (password manager, printed copy)",[47,152,153],{},"Use if authenticator unavailable",[47,155,156],{},"Each code valid once",[15,158,159],{},[40,160,161],{},"Disabling 2FA:",[44,163,164,166,169,172],{},[47,165,103],{},[47,167,168],{},"Click \"Disable Two-Factor Authentication\"",[47,170,171],{},"Enter current 6-digit code (or recovery code)",[47,173,174],{},"Confirm disable",[19,176,178],{"id":177},"spotting-users-without-2fa","Spotting Users Without 2FA",[15,180,181],{},[40,182,183],{},"Admin View:",[99,185,186,189,192,195],{},[47,187,188],{},"Navigate to Admin → Users",[47,190,191],{},"Add column: \"2FA Enabled\" (boolean)",[47,193,194],{},"Filter: \"2FA Enabled = false\"",[47,196,197],{},"Export list for follow-up",[15,199,200,203],{},[40,201,202],{},"Enforcement:","\nApp Settings → Authentication → Require 2FA",[44,205,206,209,212],{},[47,207,208],{},"Enable to force all users to set up 2FA",[47,210,211],{},"Grace period configurable (e.g., 30 days)",[47,213,214],{},"After grace period, users cannot login without 2FA",[15,216,217],{},[40,218,219],{},"Notification Campaign:",[44,221,222,225,228,231],{},[47,223,224],{},"Bulk email users without 2FA",[47,226,227],{},"Include setup instructions",[47,229,230],{},"Emphasize security benefits",[47,232,233],{},"Set deadline for compliance",[19,235,237],{"id":236},"oauth-provider-setup","OAuth Provider Setup",[15,239,240,241,246],{},"OAuth providers (Google, GitHub, Microsoft, or your organization's single-sign-on provider) are configured by your system administrator. See the ",[242,243,245],"a",{"href":244},"/sysadmin/oauth-setup/","OAuth Setup Guide"," for configuration details.",[19,248,250],{"id":249},"adding-oauth-to-user-account","Adding OAuth to User Account",[15,252,253],{},[40,254,255],{},"For Existing Username/Password Users:",[99,257,258,261,263,266,269,272],{},[47,259,260],{},"Login with email and password",[47,262,103],{},[47,264,265],{},"Click \"Link OAuth Account\"",[47,267,268],{},"Choose provider (GitHub or Google)",[47,270,271],{},"Authorize with provider",[47,273,274],{},"OAuth account linked (can now login with either method)",[15,276,277],{},[40,278,279],{},"For New Users:",[44,281,282,285,288,291],{},[47,283,284],{},"First login with OAuth creates account automatically",[47,286,287],{},"Email from OAuth provider must be in allowed domains",[47,289,290],{},"Account created with OAuth-only login (no password set)",[47,292,293],{},"Can add password later from profile",[19,295,297],{"id":296},"email-validation","Email Validation",[15,299,300],{},[40,301,302],{},"New User Flow:",[99,304,305,308,311,314,317],{},[47,306,307],{},"User signs up (or admin creates account)",[47,309,310],{},"Validation email sent to user's email address",[47,312,313],{},"Email contains 10-minute expiration token",[47,315,316],{},"User clicks link in email",[47,318,319],{},"Account validated (can now login)",[15,321,322],{},[40,323,324],{},"Validation Required:",[44,326,327,330],{},[47,328,329],{},"Cannot login (any method) until email validated",[47,331,332],{},"Includes OAuth users (email must be validated even if provider verified)",[15,334,335,338],{},[40,336,337],{},"Resend Validation Email:","\nAdmin can resend from user profile:",[99,340,341,343,346,349],{},[47,342,188],{},[47,344,345],{},"Open user profile",[47,347,348],{},"Click \"Resend Validation Email\"",[47,350,351],{},"New 10-minute token sent",[15,353,354,357,358,362],{},[40,355,356],{},"Manual Validation:","\nAdmin with ",[359,360,361],"code",{},"usersUpdate"," can manually validate:",[99,364,365,367,370],{},[47,366,103],{},[47,368,369],{},"Set \"Email Validated\" date to current date",[47,371,372],{},"Save (user can now login)",[19,374,376],{"id":375},"login-security","Login Security",[15,378,379],{},[40,380,381],{},"Max Login Attempts:",[44,383,384,387,390,393],{},[47,385,386],{},"Default: 5 failed attempts",[47,388,389],{},"Configurable in App Settings",[47,391,392],{},"After max attempts: account hard locked",[47,394,395,396,398],{},"Unlock requires admin with ",[359,397,361],{}," permission",[15,400,401],{},[40,402,403],{},"Hard Lock:",[44,405,406,409,412,415],{},[47,407,408],{},"Account cannot login (any method)",[47,410,411],{},"Visible in user profile: \"Hard Lock\" badge",[47,413,414],{},"Unlock: Admin clicks \"Unlock Account\" action",[47,416,417],{},"Reset: Failed attempt counter reset to 0",[15,419,420],{},[40,421,422],{},"Session Expiry:",[44,424,425,439,453],{},[47,426,427,430,431],{},[40,428,429],{},"Automatic Logout:"," Inactivity timeout (default 1 day)\n",[44,432,433,436],{},[47,434,435],{},"Reading or writing data resets countdown",[47,437,438],{},"Configurable per app settings",[47,440,441,444,445],{},[40,442,443],{},"Server Session Timeout:"," Server session timeout (default 1 week)\n",[44,446,447,450],{},[47,448,449],{},"Forces re-login regardless of activity",[47,451,452],{},"Security measure for long-running sessions",[47,454,455,457,458],{},[40,456,422],{}," Absolute max session duration (default 1 week)\n",[44,459,460],{},[47,461,462],{},"Prevents indefinite sessions",[15,464,465],{},[40,466,467],{},"Single Active Session:",[44,469,470,473,476,479],{},[47,471,472],{},"Aptli allows one active session per account at a time",[47,474,475],{},"Signing in on a new device signs you out of other devices",[47,477,478],{},"You'll see a notice and be asked to sign in again on the signed-out device",[47,480,481],{},"Two tabs or windows in the same browser profile share one session — they do not sign each other out",[19,483,485],{"id":484},"force-logout","Force Logout",[15,487,488],{},[40,489,490],{},"Admin Action:",[99,492,493,495,497,500,503],{},[47,494,188],{},[47,496,345],{},[47,498,499],{},"Actions → Force Logout",[47,501,502],{},"User's session terminated immediately",[47,504,505],{},"User must re-login",[15,507,508],{},[40,509,510],{},"Use Cases:",[44,512,513,516,519],{},[47,514,515],{},"Security incident (compromised account)",[47,517,518],{},"User left session open on public computer",[47,520,521],{},"Administrative lock (pending investigation)",[19,523,525],{"id":524},"troubleshooting-login","Troubleshooting Login",[527,528,530],"h3",{"id":529},"user-cant-find-account","User Can't Find Account",[15,532,533],{},[40,534,535],{},"Check:",[99,537,538,540,543,546,553],{},[47,539,188],{},[47,541,542],{},"Filter by email (case-sensitive)",[47,544,545],{},"If not found: Account may be deleted",[47,547,548,549,552],{},"Click \"See Deleted\" button (requires ",[359,550,551],{},"viewDeleted"," permission)",[47,554,555,556,552],{},"If found in deleted: Undelete (requires ",[359,557,558],{},"usersCreate",[527,560,562],{"id":561},"hard-lock","Hard Lock",[15,564,565],{},[40,566,535],{},[99,568,569,571,574,579],{},[47,570,103],{},[47,572,573],{},"Look for \"Hard Lock\" badge",[47,575,576,577,552],{},"If present: Click \"Unlock Account\" (requires ",[359,578,361],{},[47,580,581],{},"User can now login",[527,583,585],{"id":584},"email-not-validated","Email Not Validated",[15,587,588],{},[40,589,535],{},[99,591,592,594,597,600],{},[47,593,103],{},[47,595,596],{},"\"Email Validated\" field should have date",[47,598,599],{},"If blank: Resend validation email OR manually set date",[47,601,602],{},"User cannot login via any method without validation",[527,604,606],{"id":605},"bad-domain","Bad Domain",[15,608,609],{},[40,610,535],{},[99,612,613,616,619,622],{},[47,614,615],{},"Navigate to App Settings → Authentication",[47,617,618],{},"\"Allowed Domains\" list",[47,620,621],{},"Verify user's email domain included",[47,623,624],{},"If missing: Add domain OR create account manually (bypasses domain check)",[527,626,628],{"id":627},"oauth-not-working","OAuth Not Working",[15,630,631],{},[40,632,535],{},[99,634,635,640,648],{},[47,636,637,638],{},"Confirm with your system administrator that the provider is configured — see the ",[242,639,245],{"href":244},[47,641,642,643,647],{},"Log out and try again, clicking \"Sign in with ",[644,645,646],"span",{},"Provider","\"",[47,649,650],{},"If the error persists, capture the error message shown on the login page and share it with your administrator",[19,652,654],{"id":653},"password-reset","Password Reset",[15,656,657],{},[40,658,659],{},"User-Initiated:",[99,661,662,665,668,671,674,677],{},[47,663,664],{},"Click \"Forgot Password\" on login page",[47,666,667],{},"Enter email address",[47,669,670],{},"Reset email sent (10-minute token)",[47,672,673],{},"Click link in email",[47,675,676],{},"Enter new password",[47,678,679],{},"Password reset (can now login)",[15,681,682,357,685,687],{},[40,683,684],{},"Admin-Initiated:",[359,686,361],{}," can reset:",[99,689,690,692,695,698,701],{},[47,691,103],{},[47,693,694],{},"Actions → Reset Password",[47,696,697],{},"Temporary password generated",[47,699,700],{},"Email sent to user with temp password",[47,702,703],{},"User must change password on first login",[19,705,707],{"id":706},"best-practices","Best Practices",[15,709,710],{},[40,711,712],{},"Enable 2FA:",[44,714,715,718,721],{},[47,716,717],{},"Require for all admin accounts",[47,719,720],{},"Encourage for all users",[47,722,723],{},"Set compliance deadline",[15,725,726],{},[40,727,728],{},"Use OAuth When Possible:",[44,730,731,734,737],{},[47,732,733],{},"Reduces password fatigue",[47,735,736],{},"Leverages provider security",[47,738,739],{},"Easier account recovery",[15,741,742],{},[40,743,744],{},"Monitor Failed Logins:",[44,746,747,750,753],{},[47,748,749],{},"Review hard locked accounts weekly",[47,751,752],{},"Pattern of locks = password guessing attack",[47,754,755],{},"Enable 2FA enforcement",[15,757,758],{},[40,759,760],{},"Regular Session Expiry:",[44,762,763,766,769],{},[47,764,765],{},"Don't set inactivity timeout too long (24 hours reasonable)",[47,767,768],{},"CSRF expiry prevents indefinite sessions",[47,770,771],{},"Balance security vs. user convenience",[15,773,774],{},[40,775,776],{},"Allowed Domains:",[44,778,779,782,785],{},[47,780,781],{},"Keep list tight (only org domains)",[47,783,784],{},"External contractors = create manually (bypass domain check)",[47,786,787],{},"Review quarterly (remove unused domains)",{"title":789,"searchDepth":790,"depth":790,"links":791},"",2,[792,793,794,795,796,797,798,799,800,808,809],{"id":21,"depth":790,"text":22},{"id":91,"depth":790,"text":92},{"id":177,"depth":790,"text":178},{"id":236,"depth":790,"text":237},{"id":249,"depth":790,"text":250},{"id":296,"depth":790,"text":297},{"id":375,"depth":790,"text":376},{"id":484,"depth":790,"text":485},{"id":524,"depth":790,"text":525,"children":801},[802,804,805,806,807],{"id":529,"depth":803,"text":530},3,{"id":561,"depth":803,"text":562},{"id":584,"depth":803,"text":585},{"id":605,"depth":803,"text":606},{"id":627,"depth":803,"text":628},{"id":653,"depth":790,"text":654},{"id":706,"depth":790,"text":707},"Configure and use authentication in Aptli: username/password login, OAuth providers (Google, GitHub, Microsoft), two-factor authentication, email validation, and session security.","md",{},true,"/en/user/authentication",{"title":5,"description":810},"en/user/authentication/index","R1mN6QZnmzeK06FLJUW3VeXFy3LEqN3zJm5nqxnU-4I",1780539274525]