Back to guides
best_practices beginner 8 min read

Authentication & Security Guide

Learn about login methods, security features, and best practices for account protection. Covers magic links, passwords, and data security.

Authentication & Security Guide

Overview

Roomazon uses modern authentication methods to keep your property data secure while making login convenient. This guide covers all authentication options, security features, and best practices.

Login Methods

Magic Link Authentication (Recommended)

The most secure and convenient way to access Roomazon:

How it works:

  1. Enter your email address
  2. Click “Send Magic Link”
  3. Check your email (arrives within 30 seconds)
  4. Click the secure link in the email
  5. Automatically logged in

Benefits:

  • No passwords to remember
  • Immune to password attacks
  • Works across all devices
  • Automatically expires after use
  • Phishing resistant

Security features:

  • Links expire after 15 minutes
  • One-time use only
  • Cryptographically signed
  • IP address verification
  • Device fingerprinting

Password Authentication

Traditional login method:

Requirements:

  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • Special characters recommended

Security features:

  • Bcrypt password hashing
  • Account lockout after failed attempts
  • Password breach detection
  • Two-factor authentication (coming soon)

Multi-Tenancy Security

Data Isolation

Roomazon uses scope-based multi-tenancy:

  • Landlords see only their properties and tenants
  • Tenants see only their own information
  • No cross-tenant data access - technically impossible
  • Database-level isolation with user scoping

Session Management

  • Exclusive sessions: Landlord and tenant sessions are mutually exclusive
  • Session timeout: Automatic logout after inactivity
  • Device limits: Maximum of 5 concurrent sessions
  • Secure cookies: HTTPOnly and Secure flags
  • CSRF protection: Built-in request forgery protection

Role-Based Access

Different user types have different permissions:

Landlords:

  • Full property management
  • Tenant data access
  • Financial reports
  • System configuration
  • Payment processing

Tenants:

  • Own profile only
  • Property information (read-only)
  • Maintenance requests
  • Payment history
  • Document downloads

Account Security Features

Remember Me

  • 14-day persistent login
  • Secure signed cookies
  • Automatic session refresh
  • Revocable at any time
  • Device-specific

Account Lockout

Protection against brute force:

  • 5 failed attempts = 15-minute lockout
  • 10 failed attempts = 1-hour lockout
  • 15 failed attempts = 24-hour lockout
  • Email notification on lockout
  • Admin can manually unlock

Password Security

  • Passwords hashed with bcrypt
  • Cost factor: 12 (industry standard)
  • Salt included in hash
  • Never stored in plain text
  • Secure password reset flow

Email Verification

  • Required for new accounts
  • Verification links expire in 24 hours
  • Multiple verification attempts allowed
  • Automatic cleanup of unverified accounts

Two-Factor Authentication (Coming Soon)

Supported Methods

  • SMS text messages
  • Authenticator apps (Google, Authy)
  • Email-based verification
  • Hardware security keys

Setup Process

  1. Enable in account settings
  2. Choose preferred method
  3. Verify setup with test code
  4. Generate backup codes
  5. Required for sensitive actions

Data Security

Encryption

  • During Transfer: Secure connection encryption
  • In Storage: Military-grade database encryption
  • Backups: Encrypted backup storage
  • Files: Encrypted document storage

Privacy Protection

  • Minimal data collection
  • No data selling
  • Privacy law compliant
  • Right to data deletion
  • Data portability

Infrastructure Security

  • Hosting: SOC 2 compliant providers
  • Monitoring: 24/7 security monitoring
  • Updates: Automatic security patches
  • Backups: Daily encrypted backups
  • Recovery: Tested disaster recovery

Best Practices for Users

Account Security

  1. Use Magic Links when possible
  2. Strong passwords if using password auth
  3. Unique passwords - don’t reuse from other sites
  4. Regular reviews of account activity
  5. Log out when using shared devices

Email Security

  • Use a secure email provider
  • Enable email two-factor authentication
  • Don’t share magic links
  • Verify sender before clicking links
  • Report suspicious emails

Device Security

  • Keep devices updated
  • Use device locks (PIN, biometric)
  • Don’t save passwords in browsers
  • Log out of shared computers
  • Monitor for unauthorized access

Network Security

  • Avoid public WiFi for sensitive operations
  • Use VPN when on untrusted networks
  • Verify you’re on roomazon.com
  • Look for HTTPS lock icon
  • Bookmark the real login page

Common Security Questions

Q: How secure are magic links?

A: Very secure. They’re cryptographically signed, expire quickly, work only once, and are tied to your email account which has its own security.

Q: Can tenants see other tenant information?

A: No. Our multi-tenant architecture makes it technically impossible for tenants to access other tenant data.

Q: What if I lose access to my email?

A: Contact support with verification information. We can help recover your account through alternative verification.

Q: How often should I change my password?

A: Only when compromised. Strong, unique passwords don’t need regular changing.

Q: Can I share my account with others?

A: No. Each person should have their own account with appropriate permissions.

Security Incident Response

If You Suspect Unauthorized Access

  1. Change password immediately
  2. Log out all sessions
  3. Review recent activity
  4. Contact support
  5. Monitor bank/credit accounts

Reporting Security Issues

  • Email: security@roomazon.com
  • Include: Description, time, device info
  • Response: Within 24 hours
  • Updates: Regular progress reports

What We Monitor

  • Failed login attempts
  • Unusual access patterns
  • IP address changes
  • Device fingerprint changes
  • Suspicious email activity

Compliance & Certifications

Standards We Follow

  • Security audits (in progress)
  • Privacy law compliance
  • California privacy compliance
  • Security best practices
  • Payment security standards

Regular Security Practices

  • Quarterly penetration testing
  • Annual security audits
  • Continuous monitoring
  • Incident response drills
  • Staff security training

Third-Party Security

  • Background checks for all staff
  • Vendor security assessments
  • Regular security reviews
  • Compliance monitoring
  • Audit trail maintenance

Advanced Security Features

Session Security

  • Secure login sessions
  • Automatic logout for security
  • Protection against hijacking
  • Regular cleanup of old sessions

Data Security

  • Encrypted connections
  • Secure data storage
  • Access monitoring
  • Regular security audits

Troubleshooting

Can’t Receive Magic Links

  1. Check spam/junk folder
  2. Add noreply@roomazon.com to contacts
  3. Try different email client
  4. Contact your email provider
  5. Use password login temporarily

Account Locked

  • Wait for automatic unlock
  • Use password reset if available
  • Contact support for manual unlock
  • Review login attempts
  • Secure your account

Suspicious Activity

  1. Change password immediately
  2. Review all account activity
  3. Check email forwarding rules
  4. Scan devices for malware
  5. Contact support

Related Topics

Last updated: January 2025