Authentication
Authentication is how users prove who they are when logging in. Console supports multiple authentication methods to balance security and convenience.
Authentication Methodsβ
Console offers several ways for users to log in:
π Email & Password
Traditional login with a secure password
π§ Passwordless Login
Receive a temporary code via email
π Single Sign-On (SSO)
Enterprise authentication via OIDC or SAML
π Google OAuth
One-click login with Google accounts
Email and Passwordβ
The traditional authentication method where users log in with their email address and a password.
Password Requirementsβ
For security, passwords must meet these requirements:
- Minimum 12 characters long
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character (!@#$%^&*, etc.)
Password Managementβ
Forgot Password:
- User clicks "Forgot Password" on login page
- Enters their email address
- Receives reset link via email
- Creates new password
Admin Reset: Administrators can send password reset emails:
- Go to Users
- Select the user
- Click Send Password Reset
- User receives reset email
Encourage users to use unique, strong passwords and consider requiring a password manager.
Passwordless Loginβ
A modern alternative that eliminates passwords entirely.
How It Worksβ
- User enters their email address
- Receives a 6-digit code via email
- Enters the code to log in
- Session is created (no password needed)
Benefitsβ
- No password to remember - Reduces support requests
- No weak passwords - Eliminates common password problems
- No password reuse - Can't reuse passwords across sites
- Temporary codes - Codes expire quickly
Enabling Passwordlessβ
As an administrator:
- Go to Settings β Authentication
- Enable Passwordless Login
- Users will see this option on the login page
Single Sign-On (SSO)β
Enterprise-grade authentication using your existing Identity Provider (IdP).
Supported Protocolsβ
Console supports both modern and legacy SSO standards:
| Protocol | When to Use | Common Providers |
|---|---|---|
| OIDC (OpenID Connect) | Modern standard | Okta, Auth0, Azure AD, Google |
| SAML 2.0 | Legacy systems | Active Directory, Shibboleth |
Benefits of SSOβ
Centralized Access
One login for all company applications
Compliance
Meet enterprise security requirements
Automatic Provisioning
Users created automatically on first login
Simplified Offboarding
Deactivate once in IdP, removes all access
Configuring SSOβ
To set up SSO for your organization:
- Go to Settings β Single Sign-On
- Choose your protocol (OIDC or SAML)
- Enter your IdP details:
- OIDC: Client ID, Client Secret, Issuer URL
- SAML: Metadata URL or upload XML file
- Map user attributes (email, name, etc.)
- Test the configuration
- Enable for your organization
See the Configuring SSO Guide for detailed instructions.
SSO Enforcementβ
You can require all users to use SSO:
- Go to Settings β Single Sign-On
- Enable Require SSO for all users
- Other login methods are disabled
- Users must authenticate via your IdP
Enable JIT provisioning to automatically create users when they first log in via SSO. No need to manually invite them!
Google OAuthβ
Quick and easy authentication for users with Google accounts.
How It Worksβ
- User clicks Sign in with Google
- Redirected to Google authentication
- Approves access
- Logged into Console
Enabling Google OAuthβ
- Go to Settings β Authentication
- Enable Google OAuth
- Users see "Sign in with Google" button
When to Useβ
Google OAuth is great for:
- Small teams using Google Workspace
- Quick onboarding without setting up SSO
- Organizations without an enterprise IdP
Two-Factor Authentication (2FA)β
Add an extra layer of security by requiring a second factor beyond the password.
How 2FA Worksβ
Login Flow with 2FA:
1. Enter email and password β Success
2. Enter 6-digit code from authenticator app β Success
3. Logged in
Setting Up 2FAβ
For Users:
- Go to Profile β Security
- Click Enable Two-Factor Authentication
- Scan the QR code with an authenticator app:
- Google Authenticator
- Microsoft Authenticator
- 1Password
- Authy
- Enter the 6-digit code to confirm
- Save backup codes in a safe place
For Administrators:
- Go to Settings β Security
- Enable Require 2FA for all users
- Existing users will be prompted to set up 2FA on next login
Backup Codesβ
When setting up 2FA, users receive backup codes (single-use recovery codes):
- Store them securely (password manager, safe place)
- Use them if you lose access to your authenticator app
- Each code can only be used once
- Generate new codes if you use all of them
Resetting 2FAβ
If a user loses access to their authenticator:
As Administrator:
- Go to Users β Select the user
- Click Reset 2FA
- User must set up 2FA again on next login
Only reset 2FA after verifying the user's identity through another channel (phone, video call, etc.)
Login Processβ
Basic Login Flowβ
1. User goes to console.solucao42.com.br
2. Enters company slug
3. Chooses login method:
- Email & Password
- Passwordless
- SSO
- Google OAuth
4. Completes authentication
5. (If 2FA enabled) Enters 6-digit code
6. Logged in
Company Slugβ
The company slug identifies which organization you're logging into:
Example:
- Your company: "Acme Corporation"
- Company slug:
acme-corp - Users enter
acme-corpbefore logging in
You can create a custom login URL like login.acme.com that pre-fills the company slug for your users.
Session Managementβ
Session Durationβ
After logging in:
- Sessions last 7 days by default
- Can be configured per organization
- Activity extends the session
Ending Sessionsβ
Manual Logout:
- User clicks Logout in profile menu
- Session ends immediately
Automatic Logout:
- Session expires after inactivity period
- User is redirected to login page
Device Managementβ
Users can see their active sessions:
- Go to Profile β Security
- View Active Sessions
- See devices, locations, and last activity
- Revoke sessions from lost/stolen devices
Security Featuresβ
Rate Limitingβ
Login attempts are rate-limited to prevent brute-force attacks:
| Limit Type | Threshold |
|---|---|
| Per IP address | 5 attempts per 15 minutes |
| Per email | 10 attempts per 15 minutes |
Exceeded attempts result in temporary lockout.
Audit Loggingβ
All authentication events are logged:
- Successful logins
- Failed login attempts
- Password changes
- 2FA changes
- SSO authentication
Administrators can review logs in Settings β Audit Log.
Best Practicesβ
For Administratorsβ
- Enable 2FA - Require it for all users or at least administrators
- Use SSO - If available, SSO provides the best security
- Regular audits - Review login logs for suspicious activity
- Strong policies - Enforce strong password requirements
- Educate users - Train users on security best practices
For Usersβ
- Use unique passwords - Don't reuse passwords from other sites
- Enable 2FA - Even if not required, enable it for your account
- Secure backup codes - Store them in a password manager
- Report suspicious activity - Tell admins if you see unusual logins
- Logout on shared devices - Always log out on public computers
Troubleshootingβ
"Company not found"β
The company slug is incorrect. Check with your administrator for the correct slug.
"Invalid credentials"β
Email or password is wrong. Use "Forgot Password" if needed.
"Too many attempts"β
You've exceeded the rate limit. Wait 15 minutes and try again.
"2FA code invalid"β
- Ensure your device's time is synchronized
- Use the latest code (they expire every 30 seconds)
- If still failing, contact your administrator to reset 2FA
Next Stepsβ
- Security - Overall security best practices
- Configuring SSO Guide - Set up enterprise SSO
- Enabling 2FA Guide - Require 2FA for your organization
Building authentication into your app? See the Authentication API Guide for technical integration.