Authentication flows and recovery

Normal login flow

  1. User submits email and password.
  2. The system verifies the user is active and the account is active.
  3. Password is validated. Failed attempts are tracked.
  4. Password expiration is checked (90-day lifetime).
  5. Single-session enforcement is checked.
  6. Concurrent seat limits are checked.
  7. If all checks pass, a secure session cookie is issued.

Password reset flow

  1. User submits their email on the Forgot Password page.
  2. If the email matches an active user, a reset email is sent. For security, the response is the same whether or not the email exists.
  3. The email contains a unique, single-use reset link.
  4. User clicks the link and sets a new password.
  5. The new password is validated (cannot match any of the last 5 passwords).
  6. On success, the user is redirected to the Login page.

Related