====== Security & MFA ======

===== Multi-Factor Authentication =====

LEAST supports **TOTP-based MFA** (compatible with Google Authenticator, Authy, and any TOTP app).

==== Enabling MFA (user) ====

  - Log in and go to **My Profile -> Security**
  - Click **Enable MFA**
  - Scan the QR code with your authenticator app
  - Enter the 6-digit code to confirm setup
  - Save your **backup codes** in a safe place

==== Disabling MFA (admin) ====

If a user is locked out of their account (lost authenticator):
  - Navigate to **Admin -> Users -> [User] -> Security**
  - Click **Reset MFA** -- this removes the TOTP secret
  - The user can re-enrol MFA on next login

===== Signup Rate Limiting =====

LEAST automatically rate-limits signup attempts to prevent automated account creation.

  * More than **10 signup attempts** from the same IP address within a **60-minute window** are blocked
  * **Disposable email domains** (30+ known providers including Mailinator, Guerrilla Mail, 10 Minute Mail, and similar services) are rejected at signup
  * Blocked attempts receive a generic error message -- no indication is given that the IP or domain is specifically blocked

This requires no administrator configuration and is always active. If a legitimate user behind a shared or corporate IP is being incorrectly blocked, check **Admin -> Audit Log** filtering for signup events from that IP.

===== Session Security =====

  * Sessions expire after **30 days of inactivity**
  * CSRF tokens protect all state-changing forms
  * Session cookies are HttpOnly and Secure (HTTPS only)

===== Audit Log =====

All significant platform actions are written to the audit log:
  * Login and logout events
  * User account creation and modification
  * Permission grants and revocations
  * Collection record creation, update, and deletion
  * Badge issuance

To view the audit log: **Admin -> Audit Log**. Filter by user, date range, or action type.

===== Data Retention & GDPR =====

  * User data is retained indefinitely unless a deletion request is received
  * To anonymise a user's data (GDPR right to erasure): **Admin -> Users -> [User] -> GDPR Wipe**
  * This replaces personal data fields with ''****'' while preserving the audit trail structure
  * Collection records can be individually wiped via the [[developer:api|API]] using the ''gdprwipe'' function

===== Password Policy =====

  * Minimum password length: 8 characters
  * No automatic expiry (set a policy in your organisation's acceptable use policy)
  * Admins can force a password reset from the user profile