Auth and session controls.

1. Authentication baseline

• SSO supported where appropriate, and MFA enforced for privileged roles.
• Rate limits for login, signup, password reset, and verification endpoints.
• Credential stuffing defenses (device signals, IP reputation, step-up auth).
• Secure password policy and breached-password checks (where applicable).

2. MFA and step-up authentication

• MFA is required for admin/support access and sensitive actions.
• Step-up auth for high-risk workflows (payment changes, data export, role grants).
• MFA reset is protected by strong identity verification.

3. Session cookies and tokens

• Cookies: Secure, HttpOnly, and appropriate SameSite.
• Short-lived access tokens; refresh tokens are protected and rotated.
• Token revocation on password change and on suspicious activity.
• Session invalidation across devices for admin actions (as required).

4. Account recovery

• Recovery is rate limited and resistant to enumeration.
• Recovery links and codes expire quickly and are single-use.
• Recovery changes are logged and notify the user.

5. Authorization checks around identity

• Authorization checks are server-side and cannot be bypassed by client changes.
• Multi-tenant boundaries are validated for read and write actions.
• Admin tooling requires explicit approvals for high-risk changes.

6. Logging and alerting

• Audit logs for login, MFA changes, role grants, and sensitive workflow actions.
• Alert on new admin creation, MFA disablement, and unusual login patterns.
• Logs have stable identifiers to support investigation and evidence.