Authentication

Authentication is how FullFabric verifies your identity before granting access to the platform. FullFabric supports multiple authentication methods — from email and password to enterprise SSO — so each institution can choose the setup that fits their security requirements.

Login Flow

When you visit the login page, FullFabric uses a multi-step process to determine how to authenticate you:

flowchart TD
    A[Enter email] --> B[Email lookup]
    B --> C{User exists?}
    C -->|Yes, has password| D[Enter password]
    C -->|Yes, no password| E[Set password / Magic link]
    C -->|No| F[Registration form]
    D --> G{2FA enabled?}
    G -->|No| H[Session created]
    G -->|Yes| I[Enter SMS code]
    I --> H

1. Email lookup — You enter your email address. The system checks whether an account exists.
2. Password entry — If your account exists and has a password, you enter it.
3. Registration — If no account is found, you see a registration form to create one (if the institution allows self-registration).
4. Two-factor authentication — If 2FA is enabled on your account, you receive an SMS code to verify.
5. Session created — On success, a session cookie is set and you are redirected to the platform.

Authentication Methods

Email and Password (Native)

The default login method. You enter your email and password, and FullFabric validates them against the stored credentials.

• Passwords are hashed and salted — they are never stored in plain text.
• Password strength is scored from 0 (weak) to 4 (strong) based on complexity, common patterns, and dictionary words.
• Password history is tracked to prevent reuse of recent passwords.

SSO / SAML

Enterprise single sign-on via SAML 2.0. When enabled, users authenticate through their organization's identity provider (e.g., OneLogin, Okta, Azure AD) instead of entering a FullFabric password.

When SAML is the only enabled authentication method, the login page redirects directly to the identity provider. See SSO / SAML for configuration details.

OAuth Providers

FullFabric supports social and third-party login via:

• Google — Google account authentication
• LinkedIn — LinkedIn profile authentication
• Microsoft — Microsoft / Azure AD authentication

These are configured per institution and appear as buttons on the login page when enabled.

Magic Links

Passwordless authentication via email. The system sends a time-limited link to your email address. Clicking the link authenticates you and verifies your email in one step. Magic links expire after a single use.

Password Policies

Each institution can configure its own password policy. These settings control minimum requirements for new passwords:

Setting	Default	Range	Description
Minimum length	8	6–99	Minimum number of characters
Minimum letters	1	1–9	Minimum alphabetic characters (a–z, A–Z)
Minimum digits	1	1–9	Minimum numeric characters (0–9)
Minimum symbols	1	0–9	Minimum special characters (!@#$%&*, etc.)
Minimum security score	2	0–4	Minimum strength score
Password lifetime	6 months	—	How long before a password must be changed
Max failed attempts	3	—	Failed logins before temporary lockout
Backoff multiplier	2	—	Exponential backoff base for lockout duration
Password history	3	—	Number of previous passwords that cannot be reused

Failed Login Throttling

To protect against brute-force attacks, FullFabric temporarily locks accounts after too many failed login attempts. The lockout duration increases exponentially with each failed attempt (using the backoff multiplier). The failed attempts counter resets after 12 hours.

Password Expiration

If a password lifetime is configured, users whose passwords have expired are redirected to a password reset flow on their next login attempt. The expiration timer resets each time the password is changed.

Two-Factor Authentication (2FA)

2FA adds an extra layer of security by requiring a one-time SMS code in addition to your password.

For Users

• 2FA is opt-in — you enable it from your account settings.
• When you log in, after entering your password, you receive an SMS code to your registered phone number.
• Codes expire after 60 seconds; a new code is sent automatically if you need to retry.
• You can mark a device as "trusted" to skip 2FA on future logins from that device (stored as a browser cookie).

For Administrators

• 2FA must be enabled at the institution level before users can opt in.
• The institution setting controls whether 2FA is available, not whether it is mandatory.

Signup Flow

When self-registration is enabled, new users can create an account from the login page:

1. Enter your email address.
2. If the email is not recognized, a registration form appears asking for first name, last name, and policy acceptances (privacy, marketing channels).
3. A verification email is sent to confirm your address.
4. Clicking the verification link activates your account.

Institutions can customize which policy acceptance options appear during signup (email, phone, SMS, mail channels).

Password Reset

If you forget your password:

1. Click "Forgot password?" on the login page.
2. Enter your email address.
3. A reset link is sent to your email with a time-limited token.
4. Click the link and set a new password (must comply with the institution's password policy).