Authentication and security
Overview
FTE Tree is committed to keeping your data secure. This article covers authentication and security features available to individual users and organization administrators, including multi-factor authentication (MFA), single sign-on (SSO), and domain restrictions.
Access needed
| Activity | Access needed |
|---|---|
| Manage organization security settings | Security settings |
| Configure identity providers | Manage identity providers and enterprise SSO enabled for the organization |
| Access setup | See Permissions and roles. |
Multi-factor authentication (MFA)
Multi-factor authentication, also known as two-factor authentication (2FA), adds a second form of verification beyond your password.
Set up MFA
To set up MFA, open Profile > Two-factor and select the authenticator setup option. You will be guided through the setup process, which typically involves scanning a QR code with an authenticator app on your mobile device. Popular authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy.
Recovery codes
During MFA setup, you will be provided with recovery codes. These codes can be used to access your account if you lose access to your authenticator device. Store them in a secure location. Each recovery code can only be used once.
Lost MFA devices
If you lose access to your authenticator app and recovery codes, ask an authorized organization security user for help. They can request account recovery for another active registered user in the organization.
Account recovery can reset FTE Tree-managed MFA only. MFA controlled by Google, Microsoft, or an enterprise identity provider must be recovered through that provider.
Turn off MFA
You can remove MFA from your account at any time through your user profile settings. However, if your organization requires MFA, removing it will result in losing access to that organization's data until MFA is re-enabled.
Organization MFA requirements
Organization administrators can require all users to have MFA enabled to access the organization's data. When this setting is enabled:
- Users without MFA will be prompted to set it up before accessing the organization.
- If a user disables MFA while this requirement is active, they will immediately lose access.
- When an organization requires MFA, administrators can decide whether trusted browsers can satisfy that requirement and how long that trust lasts.
- We strongly encourage enabling this requirement for all organizations.
Trusted browsers
After completing MFA, you may be offered the option to trust the browser you are using. Trusting a browser is optional. When allowed by your organization, it can reduce how often you are asked for an MFA code on that browser.
If your organization requires MFA, it also decides whether trusted browsers can satisfy that requirement and how long they remain valid. If your organization disables trusted browsers or uses a shorter trust period, FTE Tree may ask for MFA again before showing organization data even on a browser you previously trusted. If your organization does not require MFA, trusted-browser behavior still applies to your own account MFA at sign-in when you have enabled MFA for your account.
Sign in with a code
FTE Tree offers a passwordless sign-in option that lets you log in using a one-time code sent to your email address.
How it works
- On the sign-in page, select Send a sign-in code.
- Enter the email address associated with your account and select Send code.
- Check your email for a message containing a sign-in code.
- Enter the code on the verification page to complete your sign-in.
The code expires after 5 minutes. If it expires, you can request a new one by repeating the process. This option is available alongside traditional password-based sign-in.
Email-first sign-in and organization workspaces
Most users start at app.ftetree.com/login/ and enter their email address. FTE Tree then determines which organization workspaces the account can access.
If your account belongs to one active organization, you are sent to that organization's workspace sign-in page. If your account belongs to more than one active organization, you choose the organization from a picker before continuing.
Some organizations may provide an organization code to help users find the right workspace. The code helps select an organization; it does not replace authentication, organization access, MFA, or SSO requirements.
An organization FTE Tree address usually looks like this:
app.ftetree.com/org/your-organization/
This address opens the correct organization. FTE Tree still checks that your account has active access to that organization before showing any data.
Refreshing an organization session
FTE Tree may ask you to refresh your organization session before continuing. This can happen when you return to a tab that has been open for a while, after your account or organization security settings change, or after a session is ended from another device.
Select Continue to organization to refresh access and return to the organization workspace. If you were submitting a change, review the page after you return and submit the change again if needed. FTE Tree does not automatically resubmit changes after a session refresh.
Single sign-on (SSO)
Single sign-on allows organization administrators to require users to authenticate through an approved identity provider before accessing organization data.
FTE Tree keeps sign-in and product access separate. SSO confirms who the user is. Access roles and department access determine what the user can do after sign-in.
FTE Tree also keeps organization access checks separate. Your account sign-in lets you choose an organization, but each organization must independently accept the sign-in method before its data is shown.
Supported SSO providers
FTE Tree supports Google and Microsoft sign-in. Enterprise identity providers can also be prepared and tested for an organization when available.
Configure SSO
Organization administrators configure standard SSO requirements under Settings > Security & sign-in > Security settings:
- Approved providers: Enable the sign-in providers permitted for your organization. Enabling an approved provider makes SSO required for that organization.
- Domain restrictions: Optionally restrict SSO to specific email domains. Multiple domains can be specified, separated by commas.
Enterprise SSO must first be enabled for the organization by FTE Tree. After that, authorized organization security administrators can use Settings > Security & sign-in > Identity providers to prepare and test draft identity provider settings, configure allowed domains, and map external groups to access roles. Enterprise identity-provider drafts store identity provider details and access rules only; confidential setup values are handled directly by FTE Tree and are not entered on this form. FTE Tree activates organization-wide SSO only when the configuration is ready, which helps prevent accidental lockout.
When SSO is configured, users must access the organization with an organization session that was verified against one of the approved providers. Password sign-in and sign-in by email code can still be used for account access or for other organizations that do not require SSO, but they do not satisfy an organization's SSO requirement.
If you belong to multiple organizations, each organization's security policy is evaluated separately. A sign-in that satisfies one organization may not satisfy another organization that requires a different provider, email domain, MFA state, or enterprise identity-provider rule.
Enterprise SSO and external groups
For enterprise SSO, FTE Tree checks the approved provider, verified email information when required, allowed domains, and the organization policy before treating a sign-in as valid for the organization.
External identity-provider groups can be mapped to local access roles. External groups do not grant individual permissions directly. This keeps access decisions auditable and manageable inside FTE Tree while still allowing identity-provider groups to automate access role assignment.
Review external group mappings whenever access roles change. A mapped identity-provider group changes role assignment, while the access role itself controls the permissions and department access granted inside FTE Tree.
Email domain restrictions
Independent of SSO, organization administrators can restrict which email domains are allowed for users in their organization. This is distinct from SSO domain restrictions: SSO domain restrictions control sign-in, while Email Domain Restrictions control both outbound email delivery and new invitation email addresses.
Each configured domain is matched exactly. For example, listing company.com allows user@company.com but does not allow user@mail.company.com. List each required email domain separately. Multiple domains can be specified, separated by commas.
When a new organization is created, the field is pre-populated with the email domain of the creating owner. Administrators can edit or clear this list at any time under Settings > Organization > General settings.
The restriction is enforced in two places:
- Outbound email: Notifications will not be delivered to recipients whose exact email domain is outside the allowed list.
- Invitations: An administrator cannot create an invitation for an email address outside the allowed list; the invitation form will reject the entry with the list of permitted domains. The invitee must accept with a verified email address that matches the invitation before it expires or is cancelled.
Email domain restrictions do not replace SSO rules. A user who accepts an invitation must still satisfy any required SSO provider, SSO domain, and MFA policy before accessing the organization.
Security protections
Each organization has its own FTE Tree address, such as app.ftetree.com/org/acme/. That address opens the right organization; FTE Tree still checks organization access before showing data.
Key infrastructure protections include:
- HTTPS enforcement: All connections to FTE Tree are encrypted using HTTPS.
- Secure session handling: Account sign-in and organization workspace access are separated. Each organization workspace must satisfy that organization's security policy before data is shown.
- Request protection: FTE Tree applies protections that help prevent unauthorized browser requests.
- Encrypted storage: All data, including uploaded files, is encrypted at rest. File download links are time-limited and accessible only to authorized users within the organization.
- Encrypted backups: Daily encrypted backups are maintained with a defined retention policy.
For more details on how organizations are separated, see Organization overview.
Security best practices
- Use unique, strong passwords for your FTE Tree account if using a local login.
- Enable MFA on your account, even if your organization does not require it.
- Review active sessions regularly and log out of unrecognized devices.
- Keep your email address up to date so you receive important security notifications.
- Review access role mappings when changing identity-provider group assignments.
- Separate security administration from ordinary operations when your organization has multiple administrators.