Skip to main content

Multi-Factor Authentication

CaseBender supports multiple MFA methods to protect user accounts. MFA can be enforced at the organization level, ensuring all users comply with your security policy.

TOTP (Time-Based One-Time Password)

Standard TOTP authentication compatible with all major authenticator apps:
  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • 1Password
  • Any TOTP-compatible app (RFC 6238)
Setup process:
  1. User navigates to Security Settings
  2. Scans QR code with their authenticator app
  3. Enters a verification code to confirm enrollment
  4. Backup codes are generated for account recovery

WebAuthn / FIDO2 Hardware Tokens

For organizations requiring phishing-resistant authentication:
  • YubiKey (USB-A, USB-C, NFC)
  • Google Titan Security Keys
  • Windows Hello (biometric)
  • Apple Touch ID / Face ID (platform authenticators)
  • Any FIDO2-compliant authenticator
WebAuthn provides the strongest authentication because:
  • Credentials are bound to the origin (phishing-resistant)
  • Private keys never leave the hardware token
  • No shared secrets that can be intercepted
  • Supports user verification (PIN or biometric)

Backup Codes

When enrolling in MFA, users receive one-time backup codes for account recovery:
  • 10 single-use codes generated at enrollment
  • Each code can only be used once
  • Codes are hashed before storage (cannot be retrieved, only verified)
  • New codes can be regenerated (invalidates all previous codes)

Single Sign-On (SSO)

SAML 2.0

CaseBender supports SAML 2.0 for enterprise SSO integration:
  • Identity Providers: Okta, Azure AD, OneLogin, PingFederate, ADFS, and any SAML 2.0 compliant IdP
  • SP-Initiated SSO: Users start at CaseBender and are redirected to the IdP
  • IdP-Initiated SSO: Users start at the IdP portal and are directed to CaseBender
  • Single Logout (SLO): Logging out of CaseBender terminates the IdP session
  • Attribute Mapping: Map IdP attributes to CaseBender user fields (name, email, role, team)

SCIM Provisioning

Automate user lifecycle management with SCIM 2.0:
  • User Provisioning: Automatically create CaseBender accounts when users are added in your IdP
  • User Deprovisioning: Automatically disable accounts when users are removed from the IdP
  • Group Sync: Map IdP groups to CaseBender teams and roles
  • Profile Updates: Changes in the IdP (name, email, department) sync to CaseBender automatically

Just-In-Time (JIT) Provisioning

For organizations that prefer not to use SCIM:
  • Users are automatically created on first SSO login
  • Default role and team assignments are configurable
  • Attribute mapping determines initial permissions
  • Administrators can review and adjust JIT-provisioned accounts

Account Lockout

CaseBender implements progressive account lockout to prevent brute-force attacks:

Lockout Policy

AttemptAction
1-4Normal login flow
5Account locked for 5 minutes
6-9Extended lockout with progressive delays
10+Account locked until admin intervention

Lockout Features

  • Progressive Delays: Each subsequent lockout increases the wait time
  • IP-Based Tracking: Failed attempts are tracked per IP address in addition to per account
  • Admin Unlock: Administrators can manually unlock accounts
  • Notification: Users and administrators are notified of lockout events
  • Audit Trail: All lockout events are logged with IP address, user agent, and timestamp

Step-Up Authentication

Even with a valid session, CaseBender requires re-authentication for sensitive operations:

Operations Requiring Step-Up

  • Changing security settings (MFA, SSO configuration)
  • Modifying RBAC policies or role assignments
  • Bulk delete operations (cases, alerts, tasks)
  • Exporting audit logs or sensitive data
  • Privileged access elevation (PAM)
  • Changing integration credentials
  • Modifying data retention policies

Step-Up Methods

Users can satisfy step-up requirements using any enrolled MFA method:
  • TOTP code from authenticator app
  • WebAuthn/FIDO2 hardware token tap
  • Backup code (one-time use)
Step-up sessions have a configurable expiry (default: 15 minutes) after which re-authentication is required again.

Session Management

  • Configurable Session Duration: Organizations can set session timeout policies
  • Concurrent Session Limits: Configurable maximum concurrent sessions per user
  • Session Revocation: Administrators can terminate any user’s active sessions
  • Idle Timeout: Sessions expire after configurable inactivity period
  • Secure Cookies: HTTP-only, Secure, SameSite=Strict cookie attributes