meta data for this page

Security & MFA

Multi-Factor Authentication

LEAST supports TOTP-based MFA (compatible with Google Authenticator, Authy, and any TOTP app).

Enabling MFA (user)

  1. Log in and go to My Profile → Security
  2. Click Enable MFA
  3. Scan the QR code with your authenticator app
  4. Enter the 6-digit code to confirm setup
  5. Save your backup codes in a safe place

Disabling MFA (admin)

If a user is locked out of their account (lost authenticator):

  1. Navigate to Admin → Users → [User] → Security
  2. Click Reset MFA – this removes the TOTP secret
  3. The user can re-enrol MFA on next login

Signup Rate Limiting

LEAST automatically rate-limits signup attempts to prevent automated account creation.

  • More than 10 signup attempts from the same IP address within a 60-minute window are blocked
  • Disposable email domains (30+ known providers including Mailinator, Guerrilla Mail, 10 Minute Mail, and similar services) are rejected at signup
  • Blocked attempts receive a generic error message – no indication is given that the IP or domain is specifically blocked

This requires no administrator configuration and is always active. If a legitimate user behind a shared or corporate IP is being incorrectly blocked, check Admin → Audit Log filtering for signup events from that IP.

Session Security

  • Sessions expire after 30 days of inactivity
  • CSRF tokens protect all state-changing forms
  • Session cookies are HttpOnly and Secure (HTTPS only)

Audit Log

All significant platform actions are written to the audit log:

  • Login and logout events
  • User account creation and modification
  • Permission grants and revocations
  • Collection record creation, update, and deletion
  • Badge issuance

To view the audit log: Admin → Audit Log. Filter by user, date range, or action type.

Data Retention & GDPR

  • User data is retained indefinitely unless a deletion request is received
  • To anonymise a user's data (GDPR right to erasure): Admin → Users → [User] → GDPR Wipe
  • This replaces personal data fields with while preserving the audit trail structure
  • Collection records can be individually wiped via the API using the gdprwipe function

Password Policy

  • Minimum password length: 8 characters
  • No automatic expiry (set a policy in your organisation's acceptable use policy)
  • Admins can force a password reset from the user profile