Authentication & Access Control
oklido uses modern authentication standards to secure access to your account and documents.
Authentication Provider
We use Auth0 (by Okta) for authentication:
- Industry-leading identity platform
- SOC 2 Type II certified
- ISO 27001 certified
- Regular third-party security audits
Login Security
OAuth 2.0 / OpenID Connect
- Standard protocol for secure authentication
- No passwords stored by oklido
- Tokens expire and refresh automatically
Multi-Factor Authentication (MFA)
Add an extra layer of security:
- Go to your Auth0 account settings
- Enable MFA
- Choose your second factor:
- Authenticator app (Google Authenticator, Authy)
- SMS (less secure, not recommended)
Session Management
| Setting | Value |
|---|---|
| Session timeout | 24 hours |
| Idle timeout | 1 hour |
| Concurrent sessions | Allowed |
| Secure cookies | Yes (HttpOnly, Secure, SameSite) |
Password Requirements
When using email/password login:
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- Checked against breached password databases
Role-Based Access Control (RBAC)
oklido uses roles to control what users can do:
| Role | Permissions |
|---|---|
| Owner | Full access, billing, delete tenant |
| Admin | Manage users, settings, all documents |
| Editor | Upload, edit, delete documents |
| Viewer | View and download documents only |
| Auditor | View documents and audit logs |
Principle of Least Privilege
- Users get minimum permissions needed
- Elevated access requires justification
- Regular access reviews recommended
External User Authentication
Beneficiaries
Beneficiaries authenticate using:
- Email verification - Confirm identity via email
- Emergency code - 12-character secure code
- Session management - Same security as internal users
Guests
Guests use time-limited secure links:
- Cryptographically secure tokens
- Expiration enforced
- Single or multi-use configurable
Email Integration Authentication
Gmail and Outlook connections use OAuth 2.0:
- Scoped permissions - Only what's needed
- Revocable - Disconnect any time
- No password storage - We never see your email password
API Authentication
For developers using our API:
- JWT tokens - Signed and verified
- API keys - Scoped to specific operations
- Rate limiting - Protection against abuse
Security Events
We monitor for suspicious activity:
- Failed login attempts
- Login from new locations
- Unusual access patterns
- Password reset requests
Suspicious activity may trigger:
- Account lockout (temporary)
- Email notification
- MFA challenge
Account Recovery
If you lose access:
- Use "Forgot Password" on login page
- Verify via email
- Set a new password
- MFA reset available through support
Emergency code lost?
Contact support@oklido.com with identity verification.
Best Practices
- Enable MFA on your account
- Use a password manager for unique passwords
- Review connected apps regularly
- Log out on shared devices
- Report suspicious activity immediately