Security & MFA

LEAST supports TOTP-based MFA (compatible with Google Authenticator, Authy, and any TOTP app).

1. Log in and go to My Profile → Security
2. Click Enable MFA
3. Scan the QR code with your authenticator app
4. Enter the 6-digit code to confirm setup
5. Save your backup codes in a safe place

If a user is locked out of their account (lost authenticator):

1. Navigate to Admin → Users → [User] → Security
2. Click Reset MFA — this removes the TOTP secret
3. The user can re-enrol MFA on next login

• Sessions expire after 30 days of inactivity
• CSRF tokens protect all state-changing forms
• Session cookies are HttpOnly and Secure (HTTPS only)

All significant platform actions are written to the audit log:

• Login and logout events
• User account creation and modification
• Permission grants and revocations
• Collection record creation, update, and deletion
• Badge issuance

To view the audit log: Admin → Audit Log. Filter by user, date range, or action type.

• User data is retained indefinitely unless a deletion request is received
• To anonymise a user's data (GDPR right to erasure): Admin → Users → [User] → GDPR Wipe
• This replaces personal data fields with while preserving the audit trail structure
• Collection records can be individually wiped via the API using the gdprwipe function

• Minimum password length: 8 characters
• No automatic expiry (set a policy in your organisation's acceptable use policy)
• Admins can force a password reset from the user profile