Introduction

FTE Tree is committed to keeping your data secure. This article covers authentication and security features available to individual users and organization administrators, including multi-factor authentication (MFA), single sign-on (SSO), and domain restrictions.

Multi-Factor Authentication (MFA)

Multi-factor authentication, also known as two-factor authentication (2FA), adds a second form of verification beyond your password.

Setting Up MFA

To set up MFA, navigate to your user profile and select the Multi-Factor Authentication option. You will be guided through the setup process, which typically involves scanning a QR code with an authenticator app on your mobile device. Popular authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy.

Backup Tokens

During MFA setup, you will be provided with backup tokens. These tokens can be used to access your account if you lose access to your authenticator device. Store these tokens in a secure location. Each backup token can only be used once.

Removing MFA

You can remove MFA from your account at any time through your user profile settings. However, if your organization requires MFA, removing it will result in losing access to that organization's data until MFA is re-enabled.

Organization MFA Requirements

Organization administrators can require all users to have MFA enabled to access the organization's data. When this setting is enabled:

  • Users without MFA will be prompted to set it up before accessing the organization.
  • If a user disables MFA while this requirement is active, they will immediately lose access.
  • We strongly encourage enabling this requirement for all organizations.

Sign In with a Code

FTE Tree offers a passwordless sign-in option that lets you log in using a one-time code sent to your email address.

How It Works

  1. On the sign-in page, select Send me a sign-in code.
  2. Enter the email address associated with your account and select Request Code.
  3. Check your email for a message containing a sign-in code.
  4. Enter the code on the verification page to complete your sign-in.

The code expires after 5 minutes. If it expires, you can request a new one by repeating the process. This option is available alongside traditional password-based sign-in.

Single Sign-On (SSO)

Single sign-on allows organization administrators to require users to authenticate through an approved identity provider before accessing organization data.

FTE Tree keeps authentication and authorization separate. SSO confirms who the user is. Local access roles, capabilities, and department scope sets determine what the user can do after sign-in.

Supported SSO Providers

FTE Tree supports Google and Microsoft sign-in. Enterprise OIDC providers can also be configured for an organization when available. These OIDC connections use the application's identity-provider configuration and are evaluated per organization.

Configuring SSO

Organization administrators configure SSO requirements under Settings > Security:

  • Approved Providers: Enable the sign-in providers permitted for your organization. Enabling an approved provider makes SSO required for that organization.
  • Domain Restrictions: Optionally restrict SSO to specific email domains. Multiple domains can be specified, separated by commas.

When SSO is configured, users must access the organization with an active sign-in session from one of the approved providers. Password sign-in and sign-in by email code can still be used for account access or for other organizations that do not require SSO, but they do not satisfy an organization's SSO requirement.

If you belong to multiple organizations, each organization's security policy is evaluated separately. A sign-in that satisfies one organization may not satisfy another organization that requires a different provider or email domain.

Enterprise OIDC and External Groups

For enterprise OIDC, FTE Tree validates the provider identifier, issuer, audience or client ID, linked provider account, verified email claims when required, allowed domains, and the organization policy before treating a session as satisfying SSO.

External identity-provider group values can be mapped to local access roles. External groups do not grant capabilities directly. This keeps access decisions auditable and manageable inside FTE Tree while still allowing identity-provider groups to automate access role membership.

Email Domain Restrictions

Independent of SSO, organization administrators can restrict which email domains are allowed for users in their organization. This is distinct from SSO domain restrictions: SSO domain restrictions gate sign-in, while Email Domain Restrictions gate both outbound email delivery and new invitation email addresses.

Each configured domain is matched exactly. For example, listing company.com allows user@company.com but does not allow user@mail.company.com. List each required subdomain separately. Multiple domains can be specified, separated by commas.

When a new organization is created, the field is pre-populated with the email domain of the creating owner. Administrators can edit or clear this list at any time under Settings > Security.

The restriction is enforced in two places:

  • Outbound email: Notifications will not be delivered to recipients whose exact email domain is outside the allowed list.
  • Invitations: An administrator cannot create an invitation for an email address outside the allowed list; the invitation form will reject the entry with the list of permitted domains. The invitee must accept with a verified email address that matches the invitation.

Email domain restrictions do not replace SSO rules. A user who accepts an invitation must still satisfy any required SSO provider, SSO domain, and MFA policy before accessing the organization.

Infrastructure Security

FTE Tree uses a subdomain-based architecture to isolate each organization. Every organization is assigned a unique subdomain, and all requests are validated to ensure they belong to the correct organization before any data is served.

Key infrastructure protections include:

  • HTTPS enforcement: All connections to FTE Tree are encrypted using HTTPS.
  • Secure session handling: Session cookies are configured with secure flags and scoped appropriately.
  • CSRF protection: Cross-site request forgery protections are applied to all requests, with trusted origins validated per subdomain.
  • Encrypted storage: All data, including uploaded files, is encrypted at rest. File download links are time-limited and accessible only to authorized users within the organization.
  • Database backups: Daily encrypted backups are maintained with a defined retention policy.

For more details on how organizations are separated, see Introduction to the Organization.

Security Best Practices

  • Use unique, strong passwords for your FTE Tree account if using a local login.
  • Enable MFA on your account, even if your organization does not require it.
  • Review active sessions regularly and log out of unrecognized devices.
  • Keep your email address up to date so you receive important security notifications.
  • Review access role mappings when changing identity-provider group assignments.

For any security concerns or questions, please contact us or email us at support@ftetree.com.