Introduction

FTE Tree is committed to keeping your data secure. This article covers the authentication and security features available to both individual users and organization administrators, including multi-factor authentication (MFA), single sign-on (SSO), and domain restrictions.

Multi-Factor Authentication (MFA)

Multi-factor authentication, also known as two-factor authentication (2FA), adds an additional layer of security to your account by requiring a second form of verification beyond your password.

Setting Up MFA

To set up MFA, navigate to your user profile and select the Multi-Factor Authentication option. You will be guided through the setup process, which typically involves scanning a QR code with an authenticator app on your mobile device. Popular authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy.

Backup Tokens

During MFA setup, you will be provided with backup tokens. These tokens can be used to access your account if you lose access to your authenticator device. Store these tokens in a secure location. Each backup token can only be used once.

Removing MFA

You can remove MFA from your account at any time through your user profile settings. However, if your organization requires MFA, removing it will result in losing access to that organization's data until MFA is re-enabled.

Organization MFA Requirements

Organization administrators can require all users to have MFA enabled to access the organization's data. When this setting is enabled:

  • Users without MFA will be prompted to set it up before accessing the organization.
  • If a user disables MFA while this requirement is active, they will immediately lose access.
  • We strongly encourage enabling this requirement for all organizations.

Single Sign-On (SSO)

Single sign-on allows organization administrators to require users to authenticate through a specific identity provider, ensuring that only users with valid corporate credentials can access the organization's account.

Supported SSO Providers

FTE Tree supports the following SSO providers:

  • Google: Users must sign in with their Google or G Suite account.
  • Microsoft: Users must sign in with their Microsoft 365 or other Microsoft account.
  • LinkedIn: Users must sign in with their LinkedIn account.

Configuring SSO

Organization administrators can configure SSO requirements in the organization user settings:

  • Require SSO: When enabled, users must authenticate through one of the configured SSO providers to access the organization.
  • Allowed Providers: Select which SSO providers are permitted for your organization. You may enable one or more providers.
  • Domain Restrictions: Optionally restrict SSO to specific email domains. For example, entering your company's domain ensures only users with a matching corporate email can access your organization. Multiple domains can be specified, separated by commas.

When SSO is configured, the system validates both the authentication provider and the email domain on each login to ensure compliance with your organization's policy.

Email Domain Restrictions

Independent of SSO, organization administrators can restrict which email domains are allowed for users in their organization. This ensures that FTE Tree only sends notifications to approved email addresses, typically your organization's corporate email domain.

Users with email addresses outside the allowed domains will be asked to update their email address to maintain access and continue receiving notifications.

Infrastructure Security

FTE Tree uses a subdomain-based architecture to isolate each organization. Every organization is assigned a unique subdomain, and all requests are validated to ensure they belong to the correct organization before any data is served. This provides a strong boundary between organizations at the infrastructure level.

Key infrastructure protections include:

  • HTTPS enforcement: All connections to FTE Tree are encrypted using HTTPS. This is enforced across all organization subdomains through HTTP Strict Transport Security (HSTS), which instructs browsers to always use secure connections.
  • Secure session handling: Session cookies are configured with secure flags and scoped appropriately, preventing them from being transmitted over unencrypted connections or accessed by unauthorized scripts.
  • CSRF protection: Cross-site request forgery protections are applied to all requests, with trusted origins validated per subdomain.
  • Encrypted storage: All data, including uploaded files, is encrypted at rest on our servers. File download links are time-limited and accessible only to authorized users within the organization.

For more details on how organizations are separated, see Introduction to the Organization.

Security Best Practices

We recommend the following security practices for all FTE Tree users:

  • Use unique, strong passwords for your FTE Tree account if using a local login.
  • Enable MFA on your account, even if your organization does not require it.
  • Review your active sessions regularly and log out of any unrecognized devices.
  • Keep your email address up to date to ensure you receive important security notifications.

For any security concerns or questions, please contact us or email us at support@ftetree.com.