Authentication
AUTH is the security fortress of the Portal ecosystem — every application, every action passes through this gateway. There is no way to access any part of the system without authentication.
What is AUTH?
AUTH is the security fortress of the Portal platform — a centralized authentication system built on Keycloak, one of the most trusted and widely-deployed identity and access management solutions in the world.
While AUTH itself doesn’t provide user-facing functionality, it’s the mandatory security checkpoint for all interactions within the system. Every application — including User Profile and Organization Profile — must pass through AUTH to ensure secure access. No one enters the system without going through this fortress.
Security — Enterprise Grade
Our security standards meet the requirements of major financial institutions. Your data is protected at the highest level.
Why Keycloak?
Keycloak is an enterprise-grade open-source identity and access management solution that provides:
| Feature | Description |
|---|---|
| Open Source | Fully auditable code, no hidden backdoors |
| Self-Hosted | Complete control over your authentication infrastructure |
| Battle-Tested | Used by millions of users in enterprises worldwide |
| Enterprise Security | Proven in financial, healthcare, and government sectors |
| SSO & Standards | OAuth 2.0, OpenID Connect, SAML 2.0 out of the box |
| Flexible User Management | Granular control over users, groups, and roles |
| Identity Federation | Connect with Google, GitHub, Facebook, and other providers |
| Directory Integration | Native Active Directory and LDAP support |
| Compliance Ready | Meets GDPR, SOC2, and other regulatory requirements |
How We Protect Your Data
Data Storage
All data stays on our servers
- Credentials are stored exclusively on our own servers
- We do not upload passwords to any third-party cloud services
- No external parties have access to your authentication data
- Complete data sovereignty — your information never leaves our infrastructure
Unlike many services that rely on third-party authentication providers, we maintain full control over all user credentials.
Audit Bus — Complete Transparency
On top of Keycloak, we run our own logging bus that provides an additional layer of security and complete audit transparency.
Our custom Audit Bus captures and logs every request to the authorization service:
| Data Captured | Details |
|---|---|
| Who | User identifier, session ID |
| When | Precise timestamp of every action |
| Where | IP address, device type, browser, geolocation |
| What | Action type and result |
What We Log
Login Attempts
All login attempts are logged — both successful and failed. This helps detect brute-force attacks and unauthorized access attempts.
Profile Changes
Any modification to user profile, email, phone number, or security settings is recorded with full context.
Password Operations
Password resets, changes, and recovery attempts are tracked for security analysis.
Session Activity
Session creation, renewal, and termination events are logged for complete visibility.
Double Security
This architecture provides dual-layer protection:
- Keycloak — Enterprise-grade identity management with built-in security features
- Audit Bus — Our custom logging layer for complete transparency and forensic capabilities
This combination ensures that even if an incident occurs, we have complete audit trails for investigation and compliance.
Available Authentication Methods
AUTH supports multiple ways to register and log in:
Passwordless is now the default! When you open the login or registration page, you’ll see the Email + OTP form by default. This method is more secure and convenient — no password to remember! You can switch to traditional password-based authentication by clicking “Sign in with password” or “Register with password”.
| Method | Type | Status |
|---|---|---|
| Email + OTP | Passwordless (Default) | Fully available |
| Phone + OTP | Passwordless | Fully available |
| Email + Password | Traditional | Fully available |
| Social OAuth | Fully available | |
| Social OAuth | Limited availability* | |
| GitHub | Social OAuth | Limited availability* |
| Discord | Social OAuth | Limited availability* |
*Facebook, GitHub, and Discord authentication may experience intermittent issues due to network restrictions in certain regions where our servers are located. We recommend using Email, Phone, or Google authentication for the most reliable experience.
Key Security Features
Two-Factor Authentication (2FA)
Add an extra layer of security with TOTP-based 2FA. Compatible with Google Authenticator, Authy, and other authenticator apps.
Email Verification
All accounts require email verification to prevent unauthorized access and ensure account recovery options.
Session Management
View and manage all active sessions. Remotely log out from any device if needed.
Brute Force Protection
Automatic rate limiting and account lockout after multiple failed login attempts.
Frequently Asked Questions
Is my password visible to your administrators?
No. Passwords are hashed using one-way cryptographic functions. Even our system administrators cannot see or recover your actual password. If you forget it, you must create a new one through the password reset process.
Do you share my data with third parties?
No. Your authentication data is stored exclusively on our servers and is never shared with or sold to third parties. We do not use external cloud services for credential storage.
What happens if I lose access to my 2FA device?
During 2FA setup, you receive backup codes. Store these securely — they allow account recovery if you lose your authenticator device. If you’ve lost both, contact support for manual identity verification.
Can I use AUTH on multiple devices?
Yes. You can be logged in on multiple devices simultaneously. Each session is tracked independently, and you can manage all active sessions from your security settings.