Authentication

evroc uses email and password authentication with optional (strongly-recommended) multi-factor authentication (MFA) for all user accounts. This document describes how authentication works and what to do if you encounter issues.

Multi-factor authentication (MFA)

evroc strongly recommends enabling MFA using a time-based one-time password (TOTP) for additional security. While not mandatory, you'll see a banner in the evroc Console promoting MFA setup until you enable it.

Setting up MFA

To enable MFA for your account:

  1. Log in to the evroc Console
  2. Follow the banner prompt to set up MFA
  3. Scan the QR code with your authenticator app, or enter the setup key manually
  4. Enter the 6-digit code from your app to complete the setup

Supported authenticator apps

You can use any TOTP-compatible authenticator app, including open-source options, or built-in TOTP support in password managers.

Using MFA on subsequent logins

Once MFA is enabled, you'll enter:

  1. Your email address and password
  2. The 6-digit code from your authenticator app

The code changes every 30 seconds. If the code is about to expire, wait for the next one.

Brute force protection

evroc implements rate limiting to protect against brute force attacks on user accounts.

How it works

After 10 failed login attempts, the account enters a temporary lockout state. During this period:

  • You can't log in, regardless of whether you enter the correct credentials
  • The system doesn't display any warning that the account is locked
  • This prevents attackers from determining which email addresses are valid

Important: There is no visual indication that your account is temporarily locked. If your login attempts fail unexpectedly, brute force protection may be active.

Lockout duration

The lockout period increases based on the number of consecutive failures:

  • After the initial 10 failed attempts, you must wait 1 minute before trying again
  • Any new failed attempt will increase the waiting time, up to 10 minutes
  • Then, after any new failed attempt, you must wait another 10 minutes
  • This pattern continues until you enter the correct credentials

Resetting the failure counter

The failure counter resets automatically after 4 hours with no failed login attempts. Once reset, you have another 10 attempts before the lockout period begins again.

Troubleshooting login issues

Unable to log in despite correct credentials

If you're confident you're entering the correct credentials but can't log in, brute force protection may be blocking your attempts.

To resolve this:

  1. Wait 10 minutes without attempting to log in
  2. Ensure you're entering the correct password on your next attempt
  3. If you've enabled MFA, check that your authenticator app is showing the current code (codes expire every 30 seconds)

If the issue persists after waiting and verifying your credentials, contact evroc support.