> ## Documentation Index
> Fetch the complete documentation index at: https://docs.casebender.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Multi-factor authentication, SSO, account lockout, and step-up authentication in CaseBender.

## Multi-Factor Authentication

CaseBender supports multiple MFA methods to protect user accounts. MFA can be enforced at the organization level, ensuring all users comply with your security policy.

### TOTP (Time-Based One-Time Password)

Standard TOTP authentication compatible with all major authenticator apps:

* **Google Authenticator**
* **Microsoft Authenticator**
* **Authy**
* **1Password**
* Any TOTP-compatible app (RFC 6238)

Setup process:

1. User navigates to Security Settings
2. Scans QR code with their authenticator app
3. Enters a verification code to confirm enrollment
4. Backup codes are generated for account recovery

### WebAuthn / FIDO2 Hardware Tokens

For organizations requiring phishing-resistant authentication:

* **YubiKey** (USB-A, USB-C, NFC)
* **Google Titan** Security Keys
* **Windows Hello** (biometric)
* **Apple Touch ID / Face ID** (platform authenticators)
* Any FIDO2-compliant authenticator

WebAuthn provides the strongest authentication because:

* Credentials are bound to the origin (phishing-resistant)
* Private keys never leave the hardware token
* No shared secrets that can be intercepted
* Supports user verification (PIN or biometric)

### Backup Codes

When enrolling in MFA, users receive one-time backup codes for account recovery:

* 10 single-use codes generated at enrollment
* Each code can only be used once
* Codes are hashed before storage (cannot be retrieved, only verified)
* New codes can be regenerated (invalidates all previous codes)

## Single Sign-On (SSO)

### SAML 2.0

CaseBender supports SAML 2.0 for enterprise SSO integration:

* **Identity Providers**: Okta, Azure AD, OneLogin, PingFederate, ADFS, and any SAML 2.0 compliant IdP
* **SP-Initiated SSO**: Users start at CaseBender and are redirected to the IdP
* **IdP-Initiated SSO**: Users start at the IdP portal and are directed to CaseBender
* **Single Logout (SLO)**: Logging out of CaseBender terminates the IdP session
* **Attribute Mapping**: Map IdP attributes to CaseBender user fields (name, email, role, team)

### SCIM Provisioning

Automate user lifecycle management with SCIM 2.0:

* **User Provisioning**: Automatically create CaseBender accounts when users are added in your IdP
* **User Deprovisioning**: Automatically disable accounts when users are removed from the IdP
* **Group Sync**: Map IdP groups to CaseBender teams and roles
* **Profile Updates**: Changes in the IdP (name, email, department) sync to CaseBender automatically

### Just-In-Time (JIT) Provisioning

For organizations that prefer not to use SCIM:

* Users are automatically created on first SSO login
* Default role and team assignments are configurable
* Attribute mapping determines initial permissions
* Administrators can review and adjust JIT-provisioned accounts

## Account Lockout

CaseBender implements progressive account lockout to prevent brute-force attacks:

### Lockout Policy

| Attempt | Action                                   |
| ------- | ---------------------------------------- |
| 1-4     | Normal login flow                        |
| 5       | Account locked for 5 minutes             |
| 6-9     | Extended lockout with progressive delays |
| 10+     | Account locked until admin intervention  |

### Lockout Features

* **Progressive Delays**: Each subsequent lockout increases the wait time
* **IP-Based Tracking**: Failed attempts are tracked per IP address in addition to per account
* **Admin Unlock**: Administrators can manually unlock accounts
* **Notification**: Users and administrators are notified of lockout events
* **Audit Trail**: All lockout events are logged with IP address, user agent, and timestamp

## Step-Up Authentication

Even with a valid session, CaseBender requires re-authentication for sensitive operations:

### Operations Requiring Step-Up

* Changing security settings (MFA, SSO configuration)
* Modifying RBAC policies or role assignments
* Bulk delete operations (cases, alerts, tasks)
* Exporting audit logs or sensitive data
* Privileged access elevation (PAM)
* Changing integration credentials
* Modifying data retention policies

### Step-Up Methods

Users can satisfy step-up requirements using any enrolled MFA method:

* TOTP code from authenticator app
* WebAuthn/FIDO2 hardware token tap
* Backup code (one-time use)

Step-up sessions have a configurable expiry (default: 15 minutes) after which re-authentication is required again.

## Session Management

* **Configurable Session Duration**: Organizations can set session timeout policies
* **Concurrent Session Limits**: Configurable maximum concurrent sessions per user
* **Session Revocation**: Administrators can terminate any user's active sessions
* **Idle Timeout**: Sessions expire after configurable inactivity period
* **Secure Cookies**: HTTP-only, Secure, SameSite=Strict cookie attributes

## Related Documentation

* [Access Control](/en/security/access-control) — RBAC, PAM, and API security
* [Security Architecture](/en/security/architecture) — Zero Trust design principles
* [Audit Logging](/en/security/audit-logging) — Authentication event logging
