Security Features
Learn about the security measures protecting your StockCraft account and business data.
StockCraft takes security seriously. We implement industry-standard security practices to protect your account and business data.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication adds an extra layer of security to your account by requiring two forms of verification:
- Something you know - Your password
- Something you have - Your smartphone with an authenticator app
Even if someone obtains your password, they won't be able to access your account without the time-based code from your authenticator app.
What is TOTP?
StockCraft uses Time-based One-Time Password (TOTP) for MFA. TOTP generates a unique 6-digit code every 30 seconds based on a shared secret between your authenticator app and StockCraft. This code can only be used once and expires quickly, making it extremely secure.
How TOTP Enhances Security
- Protection against password theft - Even if your password is compromised, attackers can't access your account without your authenticator app
- Protection against phishing - TOTP codes are time-limited and can't be reused, making phishing attacks ineffective
- No SMS vulnerabilities - Unlike SMS-based 2FA, TOTP doesn't rely on phone networks that can be intercepted
- Works offline - Your authenticator app generates codes locally without needing an internet connection
Setting Up MFA
Enabling MFA is quick and easy. Visit your Settings page, go to the Security tab, and click "Enable MFA". You'll scan a QR code with your authenticator app and verify a code to complete setup. View the complete MFA setup guide →
Password Security
StockCraft enforces strong password requirements:
- Minimum 8 characters
- Must include uppercase and lowercase letters
- Must include at least one number
- Must include at least one special character
Passwords are never stored in plain text. We use industry-standard hashing algorithms provided by AWS Cognito to securely store password hashes.
Data Encryption
All data transmitted between your browser and StockCraft servers is encrypted using HTTPS/TLS. This ensures that your data cannot be intercepted or read by third parties during transmission.
Data at rest is encrypted using AWS encryption services, protecting your business information even if physical storage media were compromised.
Multi-Tenant Isolation
StockCraft uses a secure multi-tenant architecture where each business's data is logically isolated. Your data is never visible to other StockCraft users, and all database queries are automatically scoped to your tenant ID.
Session Management
User sessions are managed securely with:
- Automatic session expiration after inactivity
- Secure token storage in browser local storage
- Token refresh mechanisms to maintain security without disrupting your workflow
- Immediate session invalidation on sign out
Frequently Asked Questions
Is MFA required?
MFA is optional but strongly recommended. Enabling MFA significantly reduces the risk of unauthorized account access.
What happens if I lose my authenticator app?
If you lose access to your authenticator app, contact StockCraft support for account recovery assistance. We recommend using an authenticator app that supports cloud backup (like Authy or Microsoft Authenticator) to prevent this situation.
Can I use SMS for two-factor authentication?
Currently, StockCraft only supports TOTP-based MFA using authenticator apps. TOTP is more secure than SMS-based 2FA because it doesn't rely on phone networks that can be intercepted.
Where are my TOTP secrets stored?
TOTP secrets are securely managed by AWS Cognito and are never stored in the StockCraft application database. This ensures that even StockCraft developers cannot access your MFA secrets.
How often do I need to enter MFA codes?
You'll need to enter an MFA code each time you sign in to StockCraft. Your session will remain active for a period of time, so you won't need to re-enter codes during normal use.
Can I disable MFA?
Yes, you can disable MFA at any time from your Settings page. You'll need to enter a current TOTP code to confirm the change, ensuring that only you can disable MFA on your account.