The following article contains technical information about the authentication method email on the Templafy Hive platform. When email authentication is used, Templafy acts as the Identity Provider. This is exclusive to email authentication and is not the case with any SSO protocols.
Security and Passwords:
Templafy does not store any clear values of user passwords. We are following the industry standards and only store hashed and salted (encrypted) values of the passwords.
Templafy prevents brute force attacks by locking the attempted email address for 5 seconds + a random amount after 2 unsuccessful login attempts. After 10 unsuccessful retries, the attempted email address is blocked for 5 minutes.
The password reset can only be done via the registered email address for the account, to prevent theft of credentials.
User personal data:
The first and last name are defined when the user creates an account and are stored in our user management logic with the hashed password, the tenant the user belongs to, and the chosen authentication method.
Templafy does not support MFA for email authentication. For all other authentication methods, the support for MFA is the responsibility of your Identity Provider (IdP).
The refresh token that is issued upon a successful authentication is valid for 14 days.
An owner on the Templafy tenant can additionally review the logins to the tenant that have been performed with email authentication. More information about the activity logs can be found at User management activity log