Authentication & 2FA
Internal users authenticate through Laravel's web guard. Requesters authenticate through the requester guard. The app includes password reset, OTP, TOTP challenge, recovery codes, account lock status pages, and session policy controls.
Internal Login
/loginshows the internal login page./login/authprocesses login.- Failed login attempts and lockout behavior follow Settings -> Security.
- Locked, banned, and suspended account status pages are available for blocked users.
OTP
OTP routes include /otp for challenge, verification, and resend. OTP TTL, max attempts, resend cooldown, rate window, max OTPs, locked TTL, queue mode, and channel toggles are configured in Settings.
TOTP
Users with the right permission can open /2fa/settings, enable TOTP, confirm setup, generate recovery codes, mark recovery codes viewed, and disable TOTP. Challenge routes live at /2fa/challenge.
Password Reset
Internal password reset routes include forgot password, password email, reset password form, and password update. Requester portal has a separate forgot/reset flow under /portal.
Profile Security
Users can update profile information, change password, and trigger email verification from /profile. Password updates follow the active password policy.
Recommended Policy
- Require strong passwords and a lockout window for failed attempts.
- Keep email delivery working before requiring OTP by email.
- Require TOTP for admins and users with sensitive permissions.
- Use HTTPS before enabling secure session cookies.
Screenshots To Add
These placeholders are intentionally kept in the docs so release screenshots can be dropped in later without changing the written guide for Authentication & 2FA.