User Security Level (Clearance)
A user can change his security level at any time in the account settings in the Authentication section:
- Weak: ID and Password authentication
Authentication by ID and password. Password recovery by email.
- Moderate: Hybrid authentication
Authentication by ID and password. Password recovery by email and SMS code. This level requires user to specify his mobile number including country code.
- Strong: Two-factor authentication
Authentication and Password recovery by email and SMS code. This level also requires user to specify his mobile number including country code.
If user is set 2 factor authentication, once user enters email and password, we generate random 6-digit code and SMS it to the user. User is redirected to a page where he could enter the code. The page also has buttons "back to login" and "resend the code" in which case we generate and send new code.
User has 3 tries before login fails and user is redirected back to the login panel.
The code has a timeout after which it’s considered to be invalid.
If user chose 2-factor schema for recovery, we send user email with the link to the same page for security code and we send SMS with the code to the user. Once user enters the code, he could change his password.