Authentication and security
Introduction
FTE Tree is committed to keeping your data secure. This article covers authentication and security features available to individual users and organization administrators, including multi-factor authentication (MFA), single sign-on (SSO), and domain restrictions.
Multi-factor authentication (MFA)
Multi-factor authentication, also known as two-factor authentication (2FA), adds a second form of verification beyond your password.
Set up MFA
To set up MFA, navigate to your user profile and select Security settings and open the authenticator setup option. You will be guided through the setup process, which typically involves scanning a QR code with an authenticator app on your mobile device. Popular authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy.
Recovery codes
During MFA setup, you will be provided with recovery codes. These tokens can be used to access your account if you lose access to your authenticator device. Store these tokens in a secure location. Each backup token can only be used once.
Turn off MFA
You can remove MFA from your account at any time through your user profile settings. However, if your organization requires MFA, removing it will result in losing access to that organization's data until MFA is re-enabled.
Organization MFA requirements
Organization administrators can require all users to have MFA enabled to access the organization's data. When this setting is enabled:
- Users without MFA will be prompted to set it up before accessing the organization.
- If a user disables MFA while this requirement is active, they will immediately lose access.
- We strongly encourage enabling this requirement for all organizations.
Sign in with a code
FTE Tree offers a passwordless sign-in option that lets you log in using a one-time code sent to your email address.
How it works
- On the sign-in page, select Send me a sign-in code.
- Enter the email address associated with your account and select Send code.
- Check your email for a message containing a sign-in code.
- Enter the code on the verification page to complete your sign-in.
The code expires after 5 minutes. If it expires, you can request a new one by repeating the process. This option is available alongside traditional password-based sign-in.
Single sign-on (SSO)
Single sign-on allows organization administrators to require users to authenticate through an approved identity provider before accessing organization data.
FTE Tree keeps sign-in and product access separate. SSO confirms who the user is. Access roles and department access determine what the user can do after sign-in.
FTE Tree also keeps organization workspace sessions separate. Your account sign-in lets you choose an organization, but each organization must independently accept the sign-in method before its data is shown.
Supported SSO providers
FTE Tree supports Google and Microsoft sign-in. Enterprise identity providers can also be prepared and tested for an organization when available.
Configure SSO
Organization administrators configure standard SSO requirements under Settings > security:
- Approved providers: Enable the sign-in providers permitted for your organization. Enabling an approved provider makes SSO required for that organization.
- Domain restrictions: Optionally restrict SSO to specific email domains. Multiple domains can be specified, separated by commas.
Enterprise SSO must first be enabled for the organization by FTE Tree. After that, authorized organization security administrators can use Settings > Security > Identity providers to prepare and test draft identity provider settings, configure allowed domains, and map external groups to access roles. FTE Tree controls provider activation and organization-wide SSO enforcement to help prevent accidental lockout.
When SSO is configured, users must access the organization with an organization session that was verified against one of the approved providers. Password sign-in and sign-in by email code can still be used for account access or for other organizations that do not require SSO, but they do not satisfy an organization's SSO requirement.
If you belong to multiple organizations, each organization's security policy is evaluated separately. A sign-in that satisfies one organization may not satisfy another organization that requires a different provider, email domain, MFA state, or enterprise identity-provider rule.
Enterprise SSO and external groups
For enterprise SSO, FTE Tree checks the approved provider, verified email information when required, allowed domains, and the organization policy before treating a sign-in as valid for the organization.
External identity-provider groups can be mapped to local access roles. External groups do not grant individual permissions directly. This keeps access decisions auditable and manageable inside FTE Tree while still allowing identity-provider groups to automate access role membership.
Review external group mappings whenever access roles change. A mapped identity-provider group changes role membership, while the access role itself controls the permissions and department access granted inside FTE Tree.
Email domain restrictions
Independent of SSO, organization administrators can restrict which email domains are allowed for users in their organization. This is distinct from SSO domain restrictions: SSO domain restrictions control sign-in, while Email Domain Restrictions control both outbound email delivery and new invitation email addresses.
Each configured domain is matched exactly. For example, listing company.com allows user@company.com but does not allow user@mail.company.com. List each required email domain separately. Multiple domains can be specified, separated by commas.
When a new organization is created, the field is pre-populated with the email domain of the creating owner. Administrators can edit or clear this list at any time under Settings > Organization > General settings.
The restriction is enforced in two places:
- Outbound email: Notifications will not be delivered to recipients whose exact email domain is outside the allowed list.
- Invitations: An administrator cannot create an invitation for an email address outside the allowed list; the invitation form will reject the entry with the list of permitted domains. The invitee must accept with a verified email address that matches the invitation.
Email domain restrictions do not replace SSO rules. A user who accepts an invitation must still satisfy any required SSO provider, SSO domain, and MFA policy before accessing the organization.
Infrastructure security
Each organization has its own FTE Tree address, and FTE Tree checks organization access before showing data.
Key infrastructure protections include:
- HTTPS enforcement: All connections to FTE Tree are encrypted using HTTPS.
- Secure session handling: Account sign-in and organization workspace sessions are separated. Each organization workspace uses its own protected session and must satisfy that organization's security policy.
- Request protection: FTE Tree applies protections that help prevent unauthorized browser requests.
- Encrypted storage: All data, including uploaded files, is encrypted at rest. File download links are time-limited and accessible only to authorized users within the organization.
- Database backups: Daily encrypted backups are maintained with a defined retention policy.
For more details on how organizations are separated, see Introduction.
Security best practices
- Use unique, strong passwords for your FTE Tree account if using a local login.
- Enable MFA on your account, even if your organization does not require it.
- Review active sessions regularly and log out of unrecognized devices.
- Keep your email address up to date so you receive important security notifications.
- Review access role mappings when changing identity-provider group assignments.
- Separate security administration from ordinary operations when your organization has multiple administrators.
For any security concerns or questions, please contact us or email us at support@ftetree.com.