Security & Authentication

Invotify takes security seriously. Your account and business data are protected with industry-standard security practices and multiple authentication options.

Security Features: - Encrypted connections (HTTPS) for all data transmission - Secure authentication with multiple sign-in methods - Two-factor authentication (2FA) via email - Passkeys (WebAuthn) as a phishing-resistant second factor - Isolated data storage — your company's data is never visible to other accounts - Session management with automatic refresh - Rate limiting on authentication endpoints

Your data is safe: - All data is stored securely in the cloud with encryption - Every request is authenticated and scoped to your company — no data leaks between accounts - Your password is never stored in plain text - Sessions automatically expire and refresh for security - API endpoints are protected against brute-force attacks

Invotify supports multiple ways to sign in, so you can choose the method that's most convenient and secure for you.

Email & Password: The traditional sign-in method. Use your email address and password to log in. - Password requirements: minimum 8 characters - "Forgot Password" link available on the login page - Password recovery via email with a secure reset link - When email two-factor authentication is enabled, a one-time code is also required after the password

Google Sign-In: Sign in with your Google account for quick, one-click access. - No need to create or remember a separate password - Uses Google's secure OAuth 2.0 authentication - Links your Google account to your Invotify profile

Apple Sign-In: Sign in with your Apple ID for seamless authentication. - Uses Apple's secure authentication framework - Option to hide your email address (Apple Private Relay) - Links your Apple account to your Invotify profile

Passkeys (WebAuthn): A phishing-resistant second factor that confirms it's really you after your password. - Confirm sign-in with fingerprint, face recognition, or device PIN - Resistant to phishing attacks - Works across devices with platform authenticators - Supports hardware security keys (YubiKey, Titan, etc.)

Two-factor authentication adds an extra layer of security to your account by requiring a verification code in addition to your password.

How It Works: 1. You enter your email and password as usual 2. A one-time 6-digit verification code is sent to your email 3. You enter the code to complete the login 4. The code expires after a short time for security

Enabling 2FA: 1. Go to Settings → Security 2. Find the "Two-Factor Authentication" section 3. Toggle "Email Code" on — 2FA is active immediately 4. From your next sign-in, a 6-digit code is emailed to you to complete the login

Disabling 2FA: 1. Go to Settings → Security 2. Toggle the switch off and confirm 3. 2FA is disabled and you can log in with just your password

When 2FA Is Required: - On every sign-in once enabled — including Google and Apple sign-in - The code requirement protects your account no matter which sign-in method was used

Passkeys are a modern, phishing-resistant way to confirm your identity using your device's biometric sensor or a hardware security key.

What Are Passkeys? Passkeys use the WebAuthn standard. In Invotify they act as a second factor: after you enter your password, you confirm the sign-in with: - Fingerprint - Touch ID, fingerprint scanner - Face Recognition - Face ID, Windows Hello - Device PIN - As a fallback when biometrics aren't available - Hardware Key - YubiKey, Google Titan, or other FIDO2 keys

Benefits of Passkeys: - Nothing extra to remember or type — one touch confirms it's you - Resistant to phishing - passkeys are bound to the specific website - Fast and convenient verification - Multiple passkeys can be registered for different devices

Setting Up Passkeys: 1. Go to Settings → Security → Passkeys 2. Click "Add New Passkey" 3. Your browser will prompt you to authenticate (fingerprint, face, PIN, or key) 4. The passkey is registered and ready to use on future logins

Using Passkeys to Sign In: 1. Sign in with your email and password as usual 2. When prompted, confirm with your device (fingerprint, face, PIN, or key) 3. The sign-in completes — no emailed code to wait for

Managing Passkeys: - View all registered passkeys in Settings → Security - Each passkey shows when it was created - Delete passkeys you no longer use - Register additional passkeys for other devices

The Active Sessions card in Settings → Security shows every device currently signed in to your account, so you can spot and shut down access you don't recognize.

What you see: - A list of every signed-in device/session - Your current device clearly marked as "This device" - Details to help you recognize each session

Signing out a session: - Sign out one - Revoke a single session you no longer use or don't recognize - Sign out all others - End every session except your current one in a single click — useful if you think your account may be compromised

Behind the scenes, Invotify also refreshes and expires sessions automatically for safety, so old sessions don't linger indefinitely.

If you forget your password, you can reset it using the email recovery process.

Recovery Process: 1. Go to the login page 2. Click "Forgot Password" 3. Enter the email address associated with your account 4. Check your email for the password reset link 5. Click the link to open the password reset page 6. Enter your new password and confirm it 7. Your password is updated and you can sign in with the new password

Important Notes: - The reset link is sent to your registered email address only - Reset links expire after a limited time for security - Check your spam/junk folder if you don't see the email - If you don't receive the email, make sure you're using the correct email address - You can request a new reset link if the previous one expired

If you used Google or Apple Sign-In: If you originally signed up with Google or Apple, you don't have a password. Simply continue using Google or Apple sign-in. You can also set a password from your Settings if you want password-based access as well.