Security Overview

AuthCore provides enterprise-grade security features out of the box to protect your application and users from common attack vectors.

Security Philosophy

Security is not an afterthoughtβ€”it's built into every layer of AuthCore. Our approach combines:

  • Defense in depth with multiple security layers
  • Secure defaults that don't require configuration
  • Fine-grained control for advanced use cases
  • Transparency through audit logging
  • Industry-standard best practices

Core Security Features

πŸ”’ Account Lockout Policy

Protect against brute force attacks by automatically locking accounts after a configurable number of failed login attempts.

  • Configurable max attempts (default: 5)
  • Automatic unlock after duration (default: 15 minutes)
  • Manual admin unlock capability
  • Track lockout history
Learn more β†’

πŸ“§ Email Restrictions

Control who can sign up using email allowlists, blocklists, and disposable email detection.

  • Allowlist specific domains or emails
  • Blocklist unwanted domains or emails
  • Automatically block disposable emails
  • Support for domain patterns (@company.com)
Learn more β†’

πŸšͺ Sign-up Modes

Choose the right sign-up strategy for your application lifecycle.

  • PUBLIC: Anyone can sign up freely
  • RESTRICTED: Only allowlisted emails can sign up
  • WAITLIST: Collect emails for future launch
Learn more β†’

πŸ›‘οΈ User Enumeration Protection

Prevent attackers from discovering valid user accounts through timing attacks or error messages.

  • Consistent error messages for login failures
  • Same response time regardless of account existence
  • Generic "invalid credentials" messages
  • No hints about whether email is registered
Learn more β†’

πŸ” Two-Factor Authentication

Optional TOTP-based 2FA for enhanced account security.

  • QR code generation for authenticator apps
  • Backup codes for account recovery
  • User-controlled enable/disable
  • Per-user 2FA enforcement option
Component documentation β†’

πŸ“Š Audit Logging

Comprehensive activity tracking for security monitoring and compliance.

  • Track all authentication events
  • Log security-related changes
  • IP address and user agent capture
  • Searchable audit trail

Configuration Example

Configuring Security Settings

Security Best Practices

βœ… Enable Account Lockout

Always enable lockout policy in production. Default settings (5 attempts, 15-minute lockout) work well for most applications.

βœ… Block Disposable Emails

Prevent spam and abuse by blocking temporary email providers unless your use case specifically requires them.

βœ… Require Email Verification

Enable email verification to ensure users own the email address they're registering with.

βœ… Use Strong Password Policies

Enforce minimum length and character requirements. Consider 12+ characters with mixed case, numbers, and symbols.

βœ… Encourage 2FA Adoption

Promote two-factor authentication to users, especially admins. Consider requiring it for sensitive operations.

βœ… Monitor Audit Logs

Regularly review security logs for suspicious patterns like multiple failed logins or unusual access times.

Next Steps

Configure Security UI β†’

Use the SecuritySettings component

Security API β†’

Manage settings programmatically