Authentication

Authentication is how Full Fabric verifies your identity before granting access to the platform. Full Fabric supports multiple authentication methods — from email and password to enterprise SSO — so each institution can choose the setup that fits their security requirements.

Login Flow

When you visit the login page, Full Fabric uses a multi-step process to determine how to authenticate you:

flowchart TD
    A[Enter email] --> B[Email lookup]
    B --> C{User exists?}
    C -->|Yes, has password| D[Enter password]
    C -->|Yes, no password| E[Set password / Magic link]
    C -->|No| F[Registration form]
    D --> G{2FA enabled?}
    G -->|No| H[Session created]
    G -->|Yes| I[Enter SMS code]
    I --> H

1. Email lookup — You enter your email address. The system checks whether an account exists.
2. Password entry — If your account exists and has a password, you enter it.
3. Registration — If no account is found, you see a registration form to create one (if the institution allows self-registration).
4. Two-factor authentication — If 2FA is enabled on your account, you receive an SMS code to verify.
5. Session created — On success, a session cookie is set and you are redirected to the platform.

Authentication Methods

Email and Password (Native)

The default login method. You enter your email and password, and Full Fabric validates them against the stored credentials.

• Passwords are hashed and salted — they are never stored in plain text.
• Password strength is scored from 0 (weak) to 4 (strong) based on complexity, common patterns, and dictionary words.
• Password history is tracked to prevent reuse of recent passwords.

SSO / SAML

Enterprise single sign-on via SAML 2.0. When enabled, users authenticate through their organisation's identity provider (e.g., OneLogin, Okta, Microsoft Entra ID) instead of entering a Full Fabric password.

When SAML is the only enabled authentication method, the login page redirects directly to the identity provider. See SSO / SAML for configuration details.

OAuth Providers

Full Fabric supports social and third-party login via:

• Google — Google account authentication
• LinkedIn — LinkedIn profile authentication
• Microsoft — Microsoft / Entra ID authentication

These are configured per institution and appear as buttons on the login page when enabled.

Magic Links

Passwordless authentication via email. The system sends a time-limited link to your email address. Clicking the link authenticates you and verifies your email in one step. Magic links expire after a single use.

Password Policies

Each institution can configure its own password policy. These settings control minimum requirements for new passwords:

Setting	Default	Range	Description
Minimum length	8	6–99	Minimum number of characters
Minimum letters	1	1–9	Minimum alphabetic characters (a–z, A–Z)
Minimum digits	1	1–9	Minimum numeric characters (0–9)
Minimum symbols	1	0–9	Minimum special characters (!@#$%&*, etc.)
Minimum security score	2	0–4	Minimum strength score
Password lifetime	6 months	—	How long before a password must be changed
Max failed attempts	3	—	Failed logins before temporary lockout
Backoff multiplier	2	—	Exponential backoff base for lockout duration
Password history	3	—	Number of previous passwords that cannot be reused

Failed Login Throttling

To protect against brute-force attacks, Full Fabric temporarily locks accounts after too many failed login attempts. The lockout duration increases exponentially with each failed attempt (using the backoff multiplier). The failed attempts counter resets after 12 hours.

Password Expiration

If a password lifetime is configured, users whose passwords have expired are redirected to a password reset flow on their next login attempt. The expiration timer resets each time the password is changed.

Two-Factor Authentication (2FA)

2FA adds an extra layer of security by requiring a one-time SMS code in addition to your password. Full Fabric uses SMS-only 2FA (via MessageBird) — authenticator apps (TOTP) are not currently supported.

For Users

• 2FA is opt-in — you enable it from your account settings by registering a phone number (E.164 format, e.g., +1234567890).
• When you log in, after entering your password, you receive a 6-digit SMS code to your registered phone number.
• Codes expire after 60 seconds; a new code is sent automatically if you need to retry.
• You can mark a device as "trusted" to skip 2FA on future logins from that device. The trusted device cookie lasts 30 days and is set once — it is not extended on subsequent logins.

For Administrators

• 2FA must be enabled at the institution level (modules.authentication.features.two_factor_authentication.enable) before users can opt in.
• The institution setting controls whether 2FA is available, not whether it is mandatory.

Access Windows

Administrators can set time-based access windows on individual profiles using two fields:

• access_from — The earliest date/time the user can log in. Before this date, the account is automatically inactivated.
• access_until — The latest date/time the user can log in. After this date, the account is automatically suspended.

These checks happen both at login time and on profile save. If a user's access_until date passes while they are logged in, their session continues until it expires naturally, but they cannot start a new session.

Access windows are useful for time-limited accounts — visiting lecturers, temporary staff, or students with fixed enrolment periods.

Signup Flow

When self-registration is enabled (auth.identity.registrations setting), new users can create an account from the login page:

1. Enter your email address.
2. If the email is not recognized, a registration form appears asking for first name, last name, and policy acceptances (privacy, marketing channels).
3. A verification email is sent to confirm your address.
4. Clicking the verification link activates your account.

Institutions can customise which policy acceptance options appear during signup (email, phone, SMS, mail channels). An optional CAPTCHA can be enabled on the signup form (auth.sign_up.captcha).

Password Reset

If you forget your password:

1. Click "Forgot password?" on the login page.
2. Enter your email address.
3. A reset link is sent to your email with a time-limited token.
4. Click the link and set a new password (must comply with the institution's password policy).