Security & MFA

LEAST supports TOTP-based MFA (compatible with Google Authenticator, Authy, and any TOTP app).

1. Log in and go to My Profile → Security
2. Click Enable MFA
3. Scan the QR code with your authenticator app
4. Enter the 6-digit code to confirm setup
5. Save your backup codes in a safe place

If a user is locked out of their account (lost authenticator):

1. Navigate to Admin → Users → [User] → Security
2. Click Reset MFA – this removes the TOTP secret
3. The user can re-enrol MFA on next login

LEAST automatically rate-limits signup attempts to prevent automated account creation.

• More than 10 signup attempts from the same IP address within a 60-minute window are blocked
• Disposable email domains (30+ known providers including Mailinator, Guerrilla Mail, 10 Minute Mail, and similar services) are rejected at signup
• Blocked attempts receive a generic error message – no indication is given that the IP or domain is specifically blocked

This requires no administrator configuration and is always active. If a legitimate user behind a shared or corporate IP is being incorrectly blocked, check Admin → Audit Log filtering for signup events from that IP.

• Sessions expire after 30 days of inactivity
• CSRF tokens protect all state-changing forms
• Session cookies are HttpOnly and Secure (HTTPS only)

All significant platform actions are written to the audit log:

• Login and logout events
• User account creation and modification
• Permission grants and revocations
• Collection record creation, update, and deletion
• Badge issuance

To view the audit log: Admin → Audit Log. Filter by user, date range, or action type.

• User data is retained indefinitely unless a deletion request is received
• To anonymise a user's data (GDPR right to erasure): Admin → Users → [User] → GDPR Wipe
• This replaces personal data fields with while preserving the audit trail structure
• Collection records can be individually wiped via the API using the gdprwipe function

• Minimum password length: 8 characters
• No automatic expiry (set a policy in your organisation's acceptable use policy)
• Admins can force a password reset from the user profile