Users with 2FA active
23
100% of active users
2FA method
TOTP + SMS
Admin configurable
Avg signup time
2.4 min
Including 2FA setup
Failed 2FA attempts
0
Last 30 days
2FA signup flow โ mobile screensInteractive
Step 1 โ Register
SiebenCMMS
Create your account
Invited by your administrator
Full name
Thabo Nkosi
Work email
Password
โขโขโขโขโขโขโขโขโขโข
Mobile number (for 2FA)
+27 82 555 0142
๐
2-factor authentication will be set up on the next screen
Step 2 โ Verify OTP
๐ฒ
Check your phone
We sent a 6-digit code to
+27 82 555 0142
+27 82 555 0142
3
7
2
Code expires in 04:32
Resend code
Use authenticator app instead
Step 3 โ Enable biometric
โ
2FA verified!
Set up quick biometric login for future access
Tap fingerprint to enrol
โน
Biometric data never leaves your device. We store only a secure token.
2FA signup flowISO 45001 ยท IATF
1
Admin sends invite
Admin creates user in the system with role assignment. A time-limited invite link (24h) is emailed. New user cannot self-register without an invite.
Invite-only model
2
Profile + mobile number
User sets name, password, and mandatory mobile number. Password enforced: 12+ chars, upper + lower + symbol + number.
NIST password policy
3
OTP code verification
6-digit OTP sent to mobile. 5-minute expiry. 3 failed attempts locks registration โ admin must re-issue invite. TOTP authenticator app (Google/Microsoft) offered as alternative.
5 min expiry ยท 3 attempt lock
4
Biometric enrolment (optional)
Device biometric (fingerprint or Face ID) enrolled. A signed JWT token โ not the biometric data itself โ is stored server-side. Admin can make this mandatory per role.
WebAuthn / FIDO2 standard
Security policy stats
2FA methodSMS OTP + TOTP app
OTP expiry5 minutes
Failed attempt lockout3 attempts
Invite link validity24 hours
Password minimum length12 characters
Session token expiry8 hours (shift-aligned)
Biometric standardWebAuthn / FIDO2
Biometric data stored server?Never โ token only
Biometric login โ mobile screensInteractive โ tap the fingerprint
Biometric prompt
SiebenCMMS
Welcome back
T. Nkosi
Senior Technician ยท Plant B
Tap to use fingerprint
or
Switch account
Scanning...
SiebenCMMS
Authenticating
Hold your finger on the sensor
Scanning fingerprint...
Authenticated โ
SiebenCMMS
Access granted
Redirecting to your dashboard
โ Identity confirmed
Session token issued ยท 8h expiry
Device: MOBILE-T42 ยท Plant B
Device: MOBILE-T42 ยท Plant B
3 open job cards
JOB #1042 โ HV Transformer ยท Urgent
Biometric login flowWebAuthn / FIDO2
1
App opens โ user recognised
Device checks for a stored biometric token. If found, the biometric prompt is presented immediately โ no username or password needed.
Sub-2 second access
2
Device authenticates locally
Fingerprint or Face ID is verified entirely on-device by the OS (Android BiometricPrompt / iOS LocalAuthentication). Biometric data is never transmitted.
On-device only ยท no data leaves
3
Signed challenge returned
On success, the device signs a server-issued challenge using the private key stored in the device's secure enclave. The signature is verified server-side.
Secure enclave ยท challenge-response
4
Fallback: PIN or password
If biometric fails 2x or the user chooses it, a PIN or full password + 2FA is required. After 5 failed attempts the account is locked and the admin is notified.
5 fail lockout โ admin alert
5
Session token + audit log
An 8-hour JWT is issued (aligned to shift length). Every login is logged: timestamp, device ID, biometric or password method, GPS if available.
Shift-aligned ยท full audit trail
Self-service password resetPlanning doc requirement
Step 1 โ Email entry
๐
Forgot password?
Enter your work email and we'll send a reset code to your registered mobile number
Work email
โ Back to login
Step 2 โ OTP verify
๐ฒ
Enter reset code
Sent to โขโขโขโข 0142
8
4
1
9
Expires in 03:12
Step 3 โ New password
๐
Set new password
Must be 12+ chars with upper, lower, number, symbol
New password
โขโขโขโขโขโขโขโขโขโขโขโขโขโข
Confirm password
โขโขโขโขโขโขโขโขโขโขโขโขโขโข
โ 12+ characters โ Uppercase โ Number
โ Symbol โ Not a previous password
โ Symbol โ Not a previous password
Reset flow rules
Reset initiated byUser self-service (no admin needed)
Identity verificationEmail + OTP to registered mobile
OTP expiry5 minutes
Max attempts before lockout3 attempts
Previous passwords blockedLast 5 passwords
Reset link validity15 minutes
Admin notification on resetYes โ security alert
Biometric re-enrolment after resetRequired โ token invalidated
Configure organisation-wide authentication requirements. Changes take effect immediately and are logged to the security audit trail.
Two-factor authentication (2FA)
Require OTP verification at every login, or only at signup. When disabled, users log in with password only โ not recommended for production.
Enforced org-wide
โพ
Require 2FA at every login
OTP required on every session start. Higher security, slight friction on each login.
Require 2FA at signup only
OTP verified once during account creation. Subsequent logins use password or biometric only.
Allow TOTP authenticator app
Users can use Google Authenticator, Microsoft Authenticator, or Authy as an alternative to SMS.
Allow SMS OTP
Send 6-digit codes via SMS to the user's registered mobile number.
Lock account after 3 failed OTP attempts
Prevents brute-force attacks. Admin must manually unlock or re-issue invite.
Notify admin on all failed 2FA attempts
Every failed OTP attempt triggers a security notification to the admin email group.
Biometric login
Allow fingerprint and Face ID as a fast login method for returning users. Can be made mandatory for field technicians or optional for office roles.
Enabled โ optional
โพ
Allow fingerprint authentication
Users can enrol a fingerprint via Android BiometricPrompt or iOS Touch ID.
Allow Face ID / face unlock
Face recognition via iOS Face ID or Android face unlock. Supported on FIDO2-compliant devices.
Make biometric mandatory for Technician role
Field technicians must enrol biometric โ ensures rapid, one-hand access when wearing PPE gloves.
Require PIN fallback after biometric failure
After 2 failed biometric attempts, fall back to 4-digit PIN before full password lockout.
Invalidate biometric token on password reset
Security best practice: any password reset invalidates the biometric credential and requires re-enrolment.
Biometric re-enrolment required every 90 days
Periodic re-enrolment ensures the biometric credential remains current and the device is still in the user's possession.
Session & token policy
Control how long sessions stay active, when tokens expire, and how many concurrent devices a user can have.
8h sessions
โพ
Session duration โ 8 hours (shift-aligned)
Tokens expire at the end of a standard shift. Users are re-authenticated at the start of each shift.
Auto-lock after 15 min inactivity
App locks to the biometric / PIN screen after 15 minutes with no interaction.
Limit to 2 concurrent active devices
A user may be logged in on a maximum of 2 devices simultaneously. Logging into a 3rd revokes the oldest session.
Force logout all devices on password change
Any password change or admin-forced reset immediately invalidates all active sessions across all devices.
Password policy
Set minimum strength requirements, rotation schedules, and failed attempt lockout rules.
NIST compliant
โพ
Minimum 12 characters
Must include upper, lower, number, and special character.
Block last 5 passwords on reset
Prevents password cycling and forces genuinely new credentials.
Force password rotation every 90 days
Users are prompted to change password at 90-day intervals. Session remains active but a renewal banner is shown.
Account lockout after 5 failed login attempts
Account is locked for 30 minutes, then auto-unlocked. Admin receives notification of lockout event.
Authentication requirements by role
Click cells to toggle
Define exactly which authentication methods are required, optional, or disabled for each role. Admins have the strictest requirements; Technicians prioritise biometric for fast field access.
Authentication method
Admin
Manager
Technician
Auditor
Password login
R
R
R
R
2FA at signup
R
R
R
R
2FA at every login
R
R
โ
O
Biometric login
O
O
R
O
Session timeout (inactivity)
10m
15m
15m
30m
Max concurrent devices
2
2
1
2
R
Required โ cannot be disabled by user
O
Optional โ user can enable/disable
โ
Not applicable for this role
Active sessions โ all users3 active
๐ฑ
T. Nkosi โ MOBILE-T42
๐ป
R. Adams โ DESKTOP-RA01
๐ฑ
M. Pieterse โ MOBILE-MP18
๐ฑ
S. Dlamini โ MOBILE-SD07
Authentication schemaPostgreSQL
CREATE TABLE Auth_Credentials (
cred_id SERIAL PRIMARY KEY,
user_id UUID REFERENCES Users,
password_hash TEXT NOT NULL,
-- bcrypt, cost factor 12
totp_secret TEXT NULL,
-- Encrypted TOTP seed
phone_verified BOOLEAN DEFAULT FALSE,
phone_hash TEXT,
-- Hashed โ never plaintext
failed_attempts INT DEFAULT 0,
locked_until TIMESTAMP NULL
);
CREATE TABLE Biometric_Tokens (
token_id SERIAL PRIMARY KEY,
user_id UUID REFERENCES Users,
device_id VARCHAR(100),
public_key TEXT,
-- FIDO2 credential public key
credential_id TEXT UNIQUE,
-- WebAuthn credential ID
enrolled_at TIMESTAMP,
last_used_at TIMESTAMP,
is_active BOOLEAN DEFAULT TRUE
-- FALSE on password reset
);
CREATE TABLE Sessions (
session_id UUID PRIMARY KEY,
user_id UUID REFERENCES Users,
device_id VARCHAR(100),
auth_method VARCHAR(20),
-- Password/Biometric/TOTP
created_at TIMESTAMP,
expires_at TIMESTAMP,
revoked_at TIMESTAMP NULL,
gps_lat DECIMAL NULL,
gps_lng DECIMAL NULL
);
CREATE TABLE Security_Policy (
policy_id SERIAL PRIMARY KEY,
enforce_2fa_signup BOOLEAN DEFAULT TRUE,
enforce_2fa_login BOOLEAN DEFAULT FALSE,
biometric_enabled BOOLEAN DEFAULT TRUE,
biometric_mandatory_roles TEXT[],
session_hours INT DEFAULT 8,
inactivity_timeout_min INT DEFAULT 15,
max_concurrent_sessions INT DEFAULT 2,
updated_at TIMESTAMP,
updated_by UUID REFERENCES Users
);