Security
Change your password, set an auto-logout idle timeout, enable TOTP two-factor authentication, and manage backup codes.
Security groups everything authentication-related: password, session behavior, and two-factor auth. Four cards in the layout, from simplest to most involved.
Auto-logout (idle timeout)
The Auto-Logout card sets how long your session can stay idle before Fabrik signs you out. Options: Never, 15 min, 30 min, 1h, 2h, 4h, 8h.
Picking an option saves immediately — there's no confirm button. The next page load picks up the new timeout; idle time is tracked in the browser and the tab logs you out when the threshold is crossed.
"Idle" means no mouse, keyboard, or network activity from the app. A browser tab left open but untouched counts as idle. An API poll from a background tab does not reset idle — the interaction has to be user-driven.
Idle timeout is a client-side convenience, not a server-side security boundary. The JWT tokens have their own lifetimes (15 min access, 7 day refresh) enforced by the backend regardless of the idle setting. Set idle timeout for "I forgot to lock my screen" safety; trust the token lifetimes for real security.
Change password
Enter your current password, the new password twice, and submit.
Rules enforced by the UI:
- New password at least 8 characters.
- New password and confirmation must match.
The backend enforces any additional rules (complexity, password history) configured at the deployment level; violations return as error toasts.
When the password changes, every existing session for your account is invalidated. You stay logged in on the current tab because the change is initiated there; other tabs or devices will drop to the login screen on their next request.
On LDAP
If your account authenticates through LDAP, this card is replaced by a short note: "Your password is managed by your LDAP directory. Contact your system administrator to change your password." Fabrik doesn't proxy password changes back into LDAP — that would require write credentials to the directory, which most deployments don't grant.
Two-factor authentication (TOTP)
The TOTP card handles the full lifecycle: enable, verify, manage backup codes, disable.
Enabling MFA
Click Enable Two-Factor Authentication. The backend generates a TOTP secret and returns it as both a QR code and a plain-text base32 string.
Scan the QR code with your authenticator app — Google Authenticator, Authy, 1Password, Bitwarden, whatever you use. If you can't scan (no camera, desktop-only authenticator), copy the manual entry key into the app.
Your app now shows a rotating 6-digit code. Enter the current code in the Verification code field. The UI strips non-digits and caps at 6 characters — you can't submit a malformed code.
Click Verify & Enable. The backend validates the code against the secret. On success, MFA is on and you advance to the backup codes step.
Save the backup codes. Eight single-use codes are displayed once and never shown again. Copy them to a password manager, print them, stash them somewhere you can reach without Fabrik. Each code replaces a TOTP code exactly once.
If you lose your phone with no backup codes, the only way back in is to ask an admin to Disable MFA on your account. That's a legitimate recovery path, but it's logged in the audit trail and requires out-of-band identity verification by the admin. Backup codes are much less painful.
From your next login, you'll be prompted for a TOTP code after entering your password.
When MFA is already on
The card shows:
- A green MFA is active banner with the count of remaining backup codes.
- A yellow warning if you have ≤2 backup codes remaining, prompting you to regenerate before you run out.
- Two buttons: Regenerate Backup Codes and Disable MFA.
Regenerating backup codes
Click Regenerate Backup Codes, enter your password in the prompt, and a fresh set of eight codes appears. The old codes are invalidated immediately — there's no overlap period.
Regenerate whenever:
- Your backup code count is low.
- You suspect a backup code may have leaked.
- You've used one or more codes and want to get back to a full eight.
Disabling MFA
To turn MFA off:
- Expand the disable form below the main MFA card.
- Enter your current password.
- Click Confirm Disable.
The TOTP secret and remaining backup codes are deleted. Your next login is password-only again. If you want MFA back later, enroll from scratch — the previous secret isn't kept.
Disabling MFA is logged in the audit trail as a self-initiated action, separate from admin-initiated mfa_disabled_by_admin.
Session info
The bottom card is read-only context about how sessions work:
- JWT access tokens expire every 15 minutes and refresh automatically in the background as long as you're active.
- Refresh tokens expire after 7 days. Past that, you need to log in again — no amount of tab-switching keeps you signed in beyond a week.
- Password changes invalidate every session. Change your password and every open tab drops to login.
These numbers are defaults. Deployment-level settings can tighten them further (nothing currently extends them). If your tokens feel short, that's a server policy question, not a setting you control here.
Recovery paths
If you're locked out, in order of preference:
- Use a backup code. If you still have any unused codes, enter one on the login screen in place of the TOTP code.
- Ask an admin to disable MFA. They'll verify your identity out-of-band, then turn MFA off for your account. You log in with just your password and re-enroll.
- Ask an admin for a reset code. If you've also forgotten your password, they can generate a one-time 8-character code that lets you reset the password without email.
- Password reset via email. If email delivery works, the standard "Forgot password?" flow sends a reset link.
Keep the first option ready — it's by far the fastest and doesn't involve another person.