Authentication & Access Control
Comprehensive guide to Cothon's authentication system including two-factor authentication (2FA), single sign-on (SSO), session management, password policies, and Supabase Auth configuration
Authentication & Access Control
Cothon's authentication system is built on Supabase Auth, providing enterprise-grade security with multiple authentication methods, comprehensive session management, and granular access controls. Whether you're a solo procurement professional or managing a team of bid coordinators, our authentication framework ensures that only authorized users can access your sensitive proposal data and competitive intelligence.
This guide covers everything from basic password authentication to advanced enterprise SSO integration, two-factor authentication setup, and role-based access control for organizations.
Authentication Methods
Cothon supports multiple authentication methods to accommodate different security requirements and organizational policies.
Email & Password Authentication
The default authentication method uses email addresses and strong passwords secured with industry-standard hashing.
Warning
Password Security: Cothon uses Argon2id hashing for password storage, a memory-hard algorithm that resists brute-force attacks. Passwords are never stored in plaintext or reversible encryption. Even Cothon administrators cannot retrieve your password—only reset it.
If you suspect your password has been compromised, change it immediately at Settings → Security → Change Password.
Social Authentication (OAuth)
Cothon supports OAuth authentication with Google and Microsoft for faster account creation and login.
Note
OAuth Security: When you authenticate with Google or Microsoft, Cothon receives only your email address and basic profile information. We never receive your password or access to your emails, files, or other account data. OAuth tokens are stored encrypted and are only used to verify your identity during login.
Enterprise Single Sign-On (SSO)
Enterprise plans support SAML 2.0 SSO integration with corporate identity providers like Okta, Azure AD, OneLogin, and Google Workspace.
Success
SSO Benefits: Single sign-on provides centralized access control, streamlined onboarding/offboarding, and improved security through enforced corporate authentication policies. When an employee leaves your organization and is removed from your identity provider, they immediately lose access to Cothon—no manual account deletion required.
API Token Authentication
For programmatic access to Cothon's API, use API tokens instead of user credentials.
Warning
Token Security: API tokens provide the same access as your user account. Treat them like passwords:
- Never commit tokens to version control (use environment variables)
- Don't share tokens via email or chat
- Revoke tokens immediately if compromised
- Use read-only tokens whenever possible
- Enable token expiration for all non-production tokens
If a token is compromised, revoke it immediately at Settings → Security → API Tokens.
Two-Factor Authentication (2FA)
Two-factor authentication adds a critical second layer of security, requiring both your password and a time-based code to log in.
TOTP Authenticator Apps
Time-based One-Time Password (TOTP) authentication uses apps like Authy, Google Authenticator, or 1Password.
Tip
Protecting against lockout: Supabase's TOTP implementation does not natively generate single-use recovery codes. To protect yourself against losing access to your authenticator app, we strongly recommend:
- Enroll multiple devices. In Settings → Security → Two-factor authentication, click "Add another device" to enroll a second factor (e.g. your password manager) in addition to your primary authenticator app. Either device can then satisfy the challenge.
- Use an authenticator app with cloud backup (1Password, Authy, iCloud Keychain, Bitwarden). These sync your TOTP secrets across devices so losing one phone doesn't lock you out.
- Store the manual entry secret shown during enrollment in your password manager as a secondary record.
If you lose access to all enrolled devices, account recovery requires identity verification with our support team and can take several business days.
SMS and hardware security keys
Cothon does not currently support SMS-based 2FA or hardware security keys (FIDO2 / WebAuthn / YubiKey). TOTP is the only supported second factor today.
We deliberately excluded SMS because NIST 800-63B discourages it due to SIM-swap attacks. FIDO2 support may be added in a future release if customer demand justifies the implementation work; it is not currently on the near-term roadmap.
Managing 2FA
Once 2FA is enabled, you can manage it from Settings → Security → Two-Factor Authentication.
Disable 2FA To disable two-factor authentication (not recommended), click "Disable 2FA". This requires:
- Entering your password
- Entering a current 2FA code
You'll receive an email confirmation that 2FA has been disabled.
Lost Access to 2FA? If you've lost access to your authenticator app:
- Contact support@cothon.ca from your registered email address
- Provide proof of identity (government-issued ID matching your account name)
- Our support team will verify your identity and disable 2FA (3-5 business days)
- You'll receive a secure password reset link via email
- Set up 2FA again immediately after regaining access
Warning
Account Lockout Prevention: Before enabling 2FA, ensure you:
- Have enrolled multiple devices or use an authenticator with cloud backup (see tip above)
- Successfully logged in with a 2FA code at least once
- Have access to your registered email address (for account recovery)
Losing access to all enrolled authenticator devices can result in permanent account lockout if you also lose access to your email.
Session Management
Cothon uses JSON Web Tokens (JWT) for session management, balancing security with user convenience.
How Sessions Work
When you log in, Cothon issues two tokens:
-
Access Token: Short-lived token (15 minutes) included in all API requests. Contains your user ID, organization memberships, and permissions.
-
Refresh Token: Long-lived token (30 days) used to obtain new access tokens. Stored securely in httpOnly cookies, inaccessible to JavaScript.
This architecture means:
- You're logged in for up to 30 days without re-entering credentials
- Access tokens expire quickly, limiting damage if intercepted
- Refresh tokens are secure in httpOnly cookies, preventing XSS attacks
Active Sessions
View and manage all active sessions at Settings → Security → Active Sessions.
| Column | Description | Example |
|---|---|---|
| Device | Browser and operating system | Chrome 122 on macOS |
| Location | Approximate geographic location (based on IP) | Vancouver, BC, Canada |
| IP Address | Public IP address | 192.0.2.45 |
| Last Activity | Most recent API request | 5 minutes ago |
| Created | When this session was established | March 28, 2026 at 9:15 AM |
| Current | Whether this is your current session | ✓ (checkmark) |
Note
IP Address Logging: Cothon logs IP addresses for security monitoring and fraud prevention. We use IP addresses to:
- Detect unusual login patterns (e.g., logins from different countries within minutes)
- Enforce rate limiting and prevent abuse
- Investigate security incidents
IP addresses are considered personal information under PIPEDA. We retain session logs (including IP addresses) for 90 days, then permanently delete them. See Data Privacy for complete data handling practices.
Session Timeout & Inactivity
Sessions are subject to several timeout policies:
| Timeout Type | Duration | Behavior |
|---|---|---|
| Access Token Expiration | 15 minutes | Automatically refreshed in background; user experiences no interruption |
| Refresh Token Expiration | 30 days | Requires re-login; user is redirected to login screen |
| Absolute Timeout | 90 days | All sessions expire regardless of activity; requires re-login |
| Inactivity Timeout | 30 days | Sessions with no activity are automatically revoked |
Enterprise Policies: Enterprise plans can configure custom session timeout policies:
- Shorter access token lifetimes (5-60 minutes)
- Inactivity timeouts (15 minutes to 24 hours)
- Absolute maximum session duration (1-90 days)
- Force re-authentication for sensitive operations (even with valid session)
Contact your usual support channel to configure custom session policies.
Concurrent Sessions
Cothon allows unlimited concurrent sessions by default, so you can be logged in on:
- Your desktop computer at the office
- Your laptop at home
- Your tablet for presentations
- Your phone for quick access
Enterprise Limits: Organizations can limit concurrent sessions per user (e.g., maximum 3 active sessions). When the limit is reached, the oldest session is automatically revoked.
Secure Session Storage
Cothon implements multiple protections for session security:
httpOnly Cookies: Refresh tokens are stored in httpOnly cookies that cannot be accessed by JavaScript, preventing XSS attacks from stealing tokens.
Secure Flag: All cookies are marked Secure, ensuring they're only transmitted over HTTPS connections.
SameSite Protection: Cookies use SameSite=Lax to prevent cross-site request forgery (CSRF) attacks.
Token Rotation: Each time an access token is refreshed, the refresh token is also rotated, limiting the window of vulnerability if a token is compromised.
Fingerprinting: Sessions are bound to specific device/browser characteristics. Attempts to reuse tokens from different devices are rejected.
Password Policies
Cothon enforces strong password policies to protect accounts from unauthorized access.
Password Requirements
All passwords must meet these requirements:
Password Strength Meter: When creating or changing passwords, Cothon displays a real-time strength meter:
- Weak (red): Does not meet minimum requirements
- Fair (orange): Meets requirements but could be stronger
- Good (yellow): Strong password with good complexity
- Strong (green): Excellent password with high entropy
Aim for "Strong" passwords for maximum security.
Tip
Creating Strong Passwords: Use a passphrase approach for memorable yet secure passwords:
- Choose 4-5 random words:
Correct Horse Battery Staple - Add numbers and symbols:
Correct4Horse9Battery!Staple - Vary capitalization:
Correct4horse9Battery!staple
Or use a password manager like 1Password, Bitwarden, or LastPass to generate and store complex random passwords.
Password Changes
Change your password at Settings → Security → Change Password.
Forced Password Changes: In some situations, you may be required to change your password:
- Your account showed signs of unauthorized access
- Your organization enforces periodic password rotation (enterprise feature)
Password Reset
If you forget your password, use the password reset flow.
Warning
Reset Link Security: Password reset links are single-use and expire after 1 hour. If someone else clicks the link before you, it becomes invalid. Always use the most recent reset email.
If you receive a password reset email you didn't request:
- Do not click the link
- Immediately change your password through the normal login flow
- Enable 2FA if not already enabled
- Review active sessions and revoke any suspicious ones
- Contact support@cothon.ca to report the incident
Role-Based Access Control (RBAC)
Cothon organizations use role-based access control to manage permissions for team members.
Organization Roles
Every organization member has one of four roles:
| Role | Permissions | Use Case |
|---|---|---|
| Owner | Full access including organization deletion, billing, and member management | Organization founder or executive sponsor |
| Admin | All access except organization deletion and billing changes | IT administrators, procurement managers |
| Member | Can create/edit/delete bid analyses and proposals, view organization data | Bid coordinators, proposal writers |
| Viewer | Read-only access to bid analyses and proposals; cannot create or edit | Executives, stakeholders, review committees |
Detailed Permissions Matrix
| Capability | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Bid Analyses | ||||
| View analyses | ✓ | ✓ | ✓ | ✓ |
| Create analyses | ✓ | ✓ | ✓ | ✗ |
| Edit own analyses | ✓ | ✓ | ✓ | ✗ |
| Edit others' analyses | ✓ | ✓ | ✓ | ✗ |
| Delete analyses | ✓ | ✓ | ✓ | ✗ |
| Share analyses externally | ✓ | ✓ | ✓ | ✗ |
| Proposals | ||||
| View proposals | ✓ | ✓ | ✓ | ✓ |
| Generate proposals | ✓ | ✓ | ✓ | ✗ |
| Edit proposals | ✓ | ✓ | ✓ | ✗ |
| Export proposals | ✓ | ✓ | ✓ | ✓ |
| Opportunities | ||||
| Browse opportunities | ✓ | ✓ | ✓ | ✓ |
| Save opportunities | ✓ | ✓ | ✓ | ✗ |
| Analyze opportunities | ✓ | ✓ | ✓ | ✗ |
| Settings | ||||
| Update company profile | ✓ | ✓ | ✗ | ✗ |
| Manage capabilities | ✓ | ✓ | ✗ | ✗ |
| Configure AI settings | ✓ | ✓ | ✗ | ✗ |
| Manage flagged terms | ✓ | ✓ | ✓ | ✗ |
| Team Management | ||||
| Invite members | ✓ | ✓ | ✗ | ✗ |
| Remove members | ✓ | ✓ | ✗ | ✗ |
| Change member roles | ✓ | ✓ | ✗ | ✗ |
| View audit logs | ✓ | ✓ | ✗ | ✗ |
| Billing & Subscription | ||||
| View billing information | ✓ | ✗ | ✗ | ✗ |
| Update payment methods | ✓ | ✗ | ✗ | ✗ |
| Change subscription plan | ✓ | ✗ | ✗ | ✗ |
| Cancel subscription | ✓ | ✗ | ✗ | ✗ |
| Organization | ||||
| Update organization settings | ✓ | ✓ | ✗ | ✗ |
| Delete organization | ✓ | ✗ | ✗ | ✗ |
| Configure SSO | ✓ | ✓ | ✗ | ✗ |
| Manage API tokens | ✓ | ✓ | ✗ | ✗ |
Managing Team Members
Organization Owners and Admins can manage team members at Settings → Organization → Team Members.
Note
Multi-Organization Membership: Users can belong to multiple organizations (e.g., if you're a consultant working with multiple clients). Switch between organizations using the organization selector in the top navigation bar. Your role may differ across organizations.
Access Logs & Audit Trails
Organization Admins and Owners can review comprehensive audit logs at Settings → Security → Audit Logs.
What's Logged
Cothon logs all security-relevant events:
| Event Category | Specific Events | Retention |
|---|---|---|
| Authentication | Login (success/failure), logout, password change, password reset, 2FA enable/disable | 2 years |
| Authorization | Role changes, permission grants, API token creation/revocation | 2 years |
| Data Access | Bid analysis views, proposal exports, document downloads | 1 year |
| Data Modification | Create/edit/delete analyses, create/edit proposals, settings changes | 1 year |
| Team Management | Member invitations, member removals, role changes | 3 years |
| Organization | Settings changes, SSO configuration, API token management | 3 years |
Each log entry includes:
{
"timestamp": "2026-03-30T14:23:45.123Z",
"event_type": "bid_analysis.viewed",
"actor": {
"user_id": "usr_abc123",
"email": "jane.smith@acmecorp.com",
"name": "Jane Smith",
"role": "Member"
},
"target": {
"type": "bid_analysis",
"id": "analysis_xyz789",
"name": "City of Vancouver - Fleet Management RFP"
},
"metadata": {
"ip_address": "192.0.2.45",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"location": "Vancouver, BC, Canada"
},
"result": "success"
}
Searching Audit Logs
Use filters to find specific events:
Success
Compliance Reporting: Audit logs support compliance with government procurement regulations requiring documentation of access to sensitive bid information. Many public sector RFPs require bidders to demonstrate who accessed proposal data and when.
Cothon's audit logs provide complete traceability for compliance audits and security investigations.
Anomaly Detection
Cothon automatically flags suspicious patterns in audit logs:
| Anomaly Type | Description | Action |
|---|---|---|
| Unusual Location | Login from country where user has never logged in before | Email alert to user + admin |
| Bulk Export | Downloading >50 bid analyses in <1 hour | Email alert to admin |
| Rapid Permission Changes | Multiple role changes within 5 minutes | Email alert to admin |
| Failed Login Spike | >5 failed logins within 10 minutes | Account temporarily locked, email alert |
| Off-Hours Access | Data access outside typical working hours (for enterprise accounts) | Logged for review (configurable alerting) |
Admins receive weekly security summaries highlighting flagged events for review.
Security Best Practices
For Individual Users
For Organizations
Frequently Asked Questions
Additional Resources
- API Security - Secure API integration and webhook authentication
- Data Privacy - PIPEDA compliance and privacy practices
- Security Overview - Comprehensive security architecture documentation
- Account Setup - Initial account configuration guide
Need Help?
- Security questions: your usual support channel
- Technical support: support@cothon.ca
- Enterprise SSO setup: your usual support channel
Last Updated: March 30, 2026
Related Articles
Was this page helpful?