Account protection: secure login & password policy

User account security is a priority. Several measures have been put in place to protect access to your account and prevent unauthorized logins.

Protection against suspicious login attempts

The system detects abnormal behavior during login. When a certain number of failed attempts are detected within a short period of time, protective measures may be applied automatically, such as:

• Requesting a password reset
• Temporarily restricting access

These measures help block unauthorized access while ensuring legitimate users can continue to access their accounts. Protections are continuously improved following industry best practices.

Strengthened password policy

To enhance account security, all passwords must meet the following requirements:

• Minimum 12 characters and maximum 128 characters
• Must contain at least one uppercase letter
• Must contain at least one lowercase letter
• Must contain at least one number
• Must contain at least one special character

A password may not contain:

• The username
• The associated email address (neither the part before nor after the @, even partially)
• The company name

Note: Checks for these restricted elements are case-insensitive.

The password must achieve a minimum score of 3/5 on a complexity scale (Very Weak, Weak, Medium, Good, Excellent).
Any password rated Very Weak or Weak cannot be used.

Compromised password detection

When creating or updating a password, it is checked against a public database of compromised passwords. If the password appears in this database, a warning will prompt the user to choose a more secure alternative.

Visual password creation assistance

A visual indicator is displayed to help users choose a password that complies with the policy in effect.

Mandatory Two-Factor Authentication (2FA)

By default, all platform users must have at least one active 2FA method.
When a new user is invited, email-based 2FA is automatically enabled. The user may also add a method using an authenticator app (e.g., Google Authenticator, Microsoft Authenticator).

If the app method is activated, the email method may be disabled, but at least one 2FA method must always remain active.

Two-factor authentication adds an extra layer of security by requiring a temporary code in addition to the password. This code is generated either by email or by an authentication app.

By default, 2FA is required at every login, unless the user is connecting from a trusted device. A trusted device remains recognized for a maximum of 30 days.

The number of attempts to enter a 2FA code is also limited to prevent attacks.

Learn more about two-factor authentication >

Security Tips

2FA is mandatory for all accounts and is a key measure to secure your access.

Additional best practices include:

• Use a unique, strong password
• Never share your credentials
• Be cautious with suspicious emails or messages