Skip to main content

Authentication and Security

Overview

Nquiry implements enterprise-grade authentication based on FedRAMP and NIST standards. The system supports multiple authentication factors and session management to protect sensitive investigation data.

Account Creation

Sign Up Process

  1. Enter email address
  2. Create password (must meet security requirements)
  3. Receive confirmation email
  4. Click link to verify email
  5. Account activated

Password Requirements

Based on NIST SP 800-63B guidelines:

RequirementDetails
Minimum length8 characters
Maximum length64 characters (no arbitrary limit)
Character typesAll Unicode characters allowed
Complexity rulesNone (NIST recommends against)
Breached passwordsBlocked (checked against known breaches)

Why no complexity rules? NIST research shows complexity requirements lead to predictable patterns ("Password1!"). Length and breach-checking provide better security.

Login Options

Standard Login (Email + Password)

  1. Enter email and password
  2. Complete MFA challenge (if enabled)
  3. Session created

Biometric/Passkey Login (WebAuthn)

For registered security keys or biometric devices:

  1. Click "Sign in with security key"
  2. Authenticate with device (fingerprint, face, hardware key)
  3. Session created

Supported authenticators:

  • Touch ID / Face ID (Apple devices)
  • Windows Hello
  • Hardware security keys (YubiKey, etc.)
  • Android biometrics

Multi-Factor Authentication (MFA)

TOTP Authenticator Apps

Set up time-based one-time passwords:

  1. Go to Settings → Account
  2. Click "Enable MFA"
  3. Scan QR code with authenticator app
  4. Enter verification code
  5. Save backup codes

Supported apps:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • 1Password
  • Any TOTP-compatible app

Security Keys (WebAuthn)

Register hardware or platform authenticators:

  1. Go to Settings → Account
  2. Click "Add Security Key"
  3. Follow browser prompts
  4. Name your key
  5. Key registered

Benefits:

  • Phishing-resistant
  • No codes to enter
  • Fast authentication

Session Management

Session Duration

SettingValue
Session lifetime24 hours
Idle timeout30 minutes
Token refreshAutomatic

Session Security

  • Sessions bound to browser fingerprint
  • Concurrent sessions allowed
  • Force logout available in settings
  • All sessions cleared on password change

Security Information Page

After login, users see a security information page showing:

  • Last login time and location
  • Failed login attempts (if any)
  • MFA status
  • Security recommendations

Password Recovery

Forgot Password Flow

  1. Click "Forgot password?" on login page
  2. Enter email address
  3. Receive reset link (expires in 1 hour)
  4. Click link, enter new password
  5. All existing sessions invalidated

If MFA Is Enabled

Password reset also requires MFA verification to prevent unauthorized account recovery.

Account Security Features

Account Deletion

Users can delete their own account:

  1. Go to Settings → Account
  2. Click "Delete Account"
  3. Type confirmation phrase
  4. All data permanently deleted

Data Export

Before deletion, users can export their data:

  • All investigations
  • Evidence and attachments
  • Analyses and reports
  • Available in Settings → Account

Security Best Practices

For Users

  1. Use a strong, unique password - Consider a passphrase
  2. Enable MFA - Use authenticator app or security key
  3. Add a security key - Phishing-resistant authentication
  4. Review login activity - Check the security page after login
  5. Log out on shared devices - Don't stay logged in on public computers

For Administrators

  1. Require MFA - (Enterprise feature, coming post-launch)
  2. Review audit logs - Monitor for suspicious activity
  3. Remove departed users promptly - Prevent unauthorized access
  4. Use role-based access - Principle of least privilege

Audit Logging

All authentication events are logged:

EventDetails Captured
Login attemptSuccess/failure, IP, user agent, timestamp
MFA challengeMethod used, success/failure
Password changeTimestamp, IP address
Password resetRequested, completed
MFA enrollmentMethod type, device info
Session logoutManual or timeout
Account deletionTimestamp, deletion status

Compliance

FedRAMP Alignment

Nquiry authentication meets FedRAMP Moderate controls:

  • AC-2: Account Management
  • AC-7: Unsuccessful Login Attempts
  • IA-2: Identification and Authentication
  • IA-5: Authenticator Management
  • IA-11: Re-authentication

HIPAA Technical Safeguards

  • Unique user identification (§164.312(a)(2)(i))
  • Automatic logoff (§164.312(a)(2)(iii))
  • Authentication (§164.312(d))
  • Audit controls (§164.312(b))

Troubleshooting

Can't Log In

  • Check email spelling
  • Verify Caps Lock is off
  • Try password reset
  • Check if account is locked (5 failed attempts)

MFA Code Not Working

  • Verify time is synced on your phone
  • Use backup codes if available
  • Contact administrator if locked out

Security Key Not Recognized

  • Try removing and re-inserting
  • Ensure browser supports WebAuthn
  • Try a different browser
  • Re-register the key if needed

Security Fixes Log

DateFixIssue
2026-03-15Path traversal protection added to storage view/upload routes — rejects .. segmentsNQU-391
2026-03-15SVG/HTML inline rendering disabled in storage view to prevent stored XSSNQU-392
2026-03-15Ownership transfer wrapped in database transaction to prevent race conditionsNQU-393
2026-03-15Rerank client timeout added (AbortController, 15-30s per attempt)NQU-395