Skip to main content
This guide covers how to configure authentication security settings for your workspace, including two-factor authentication enforcement, passkey registration, session timeouts, and password requirements.
This feature requires administrator or workspace owner permissions. Changes made here affect all users in your workspace.
Who should read this: Workspace administrators and account owners responsible for organizational security policy.Prerequisites: Admin or Account Owner role. An active PlaneConnection workspace.

Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step after password entry. PlaneConnection supports TOTP-based 2FA (authenticator apps like Google Authenticator, Authy, or 1Password) and SMS-based verification codes.

Enable 2FA for your account

Individual users can enable 2FA from their profile settings. As an admin, you can enforce 2FA for all users.
2
Click your avatar in the top-right corner and select Profile & Security.
3
Enable two-factor authentication
4
Under the Two-Factor Authentication section, click Enable 2FA.
5
Scan the QR code
6
Open your authenticator app and scan the QR code displayed on screen. Enter the 6-digit verification code to confirm setup.
7
Save backup codes
8
After successful setup, PlaneConnection displays a set of backup codes. Save these in a secure location — they are your only way to access your account if you lose your authenticator device.
Backup codes are shown only once. If you lose both your authenticator device and your backup codes, you will need to contact your workspace admin to reset your 2FA.

Enforce 2FA for all users

To require all workspace members to use two-factor authentication:
2
Go to Settings > Security in the sidebar.
3
Enable 2FA enforcement
4
Toggle Require Two-Factor Authentication to on. Set a Grace Period (in days) to give existing users time to set up their authenticator app before enforcement takes effect.
5
Save changes
6
Click Save. Users who have not configured 2FA will see a prompt on their next sign-in.
When 2FA enforcement is enabled with a grace period, users can still sign in without 2FA during the grace window but see a persistent banner reminding them to set it up. After the grace period expires, users must complete 2FA setup before accessing any workspace features.
For aviation operations, enforcing 2FA is strongly recommended. Safety report data, crew records, and financial information are sensitive — 2FA reduces the risk of unauthorized access from compromised passwords.

Passkeys

Passkeys provide passwordless authentication using biometrics (fingerprint, face recognition) or hardware security keys. They are phishing-resistant and more secure than passwords.

Register a passkey

2
Click your avatar and select Profile & Security.
3
Add a passkey
4
Under the Passkeys section, click Add Passkey.
5
Authenticate with your device
6
Your browser prompts you to use your device’s biometric sensor or insert a security key. Follow the on-screen instructions.
7
Name the passkey
8
Enter a descriptive name (e.g., “MacBook Pro Touch ID” or “YubiKey 5”) so you can identify it later.
Users can register multiple passkeys for different devices. Each passkey is tied to a specific device and browser combination.

Remove a passkey

Navigate to Profile & Security > Passkeys and click the Remove button next to the passkey you want to delete. You must have at least one other authentication method (password or another passkey) to remove a passkey.

Session Policies

Session policies control how long users stay signed in and under what conditions sessions expire.

Configure session duration

2
Go to Settings > Security > Sessions.
3
Set session lifetime
4
Choose the maximum session duration:
5
SettingDescriptionRecommended For8 hoursSession expires after 8 hours of the initial sign-in.High-security environments.24 hoursDefault. Session lasts one day.Most flight departments.7 daysSession persists for a week with activity.Low-turnover teams with MFA.30 daysExtended session for convenience.Only with 2FA enforced.
6
Set idle timeout
7
Choose how long an inactive session persists before requiring re-authentication:
8
SettingBehavior15 minutesStrict. Suitable for shared or kiosk devices.1 hourDefault. Balances security and usability.4 hoursRelaxed. Suitable when devices are physically secure.No idle timeoutSession only expires at the maximum lifetime.
9
Save changes
10
Click Save. Changes apply to new sessions; existing sessions use their original settings.
Very short idle timeouts (15 minutes) can frustrate dispatchers and safety managers who work in the platform all day. Consider the operational workflow before setting aggressive timeouts. A 1-hour idle timeout with 24-hour maximum lifetime provides a reasonable balance for most flight departments.

Force sign-out all users

In an emergency (compromised credentials, terminated employee), you can force-expire all active sessions:
  1. Navigate to Settings > Security > Sessions.
  2. Click Revoke All Sessions.
  3. Confirm the action.
All users are immediately signed out and must re-authenticate. This does not reset passwords or disable accounts.

Password Requirements

PlaneConnection enforces baseline password requirements through its authentication infrastructure. As an admin, you can configure additional policies.

Default password rules

All passwords must meet these minimum requirements:
  • At least 8 characters.
  • Cannot be a commonly breached password (checked against known breach databases).
  • Cannot be the same as the user’s email address.

Configure additional password policies

Navigate to Settings > Security > Password Policy to enable additional requirements:
PolicyDescription
Minimum lengthIncrease the minimum from 8 to up to 32 characters.
Require mixed caseRequire at least one uppercase and one lowercase letter.
Require numbersRequire at least one numeric digit.
Require special charsRequire at least one special character (!@#$%^&*).
Password historyPrevent reuse of the last N passwords (up to 10).
Modern security guidance (NIST SP 800-63B) recommends longer passwords over complex character requirements. A 12+ character minimum with breach detection is more effective than requiring special characters with a short minimum length.

Authentication Methods Overview

PlaneConnection supports multiple authentication methods. The following table summarizes availability and configuration:
MethodDefault StateAdmin ConfigurableNotes
Email + PasswordEnabledCannot disableAlways available as a baseline method.
Google OAuthFeature toggleYesSign in with Google. Enable via Settings > Modules.
Microsoft OAuthFeature toggleYesSign in with Microsoft. Enable via Settings > Modules.
SAML SSOFeature toggleYesEnterprise SSO. See Configure SSO.
Magic LinkFeature toggleYesPasswordless email link. Enable via Settings > Modules.
PasskeysFeature toggleYesBiometric/hardware key. Enable via Settings > Modules.
TOTP 2FAOpt-inEnforceableAuthenticator app codes as second factor.

Security Audit Log

All authentication events are recorded in the workspace audit log:
  • Sign-in attempts (successful and failed)
  • 2FA enrollment and verification
  • Passkey registration and removal
  • Session creation and revocation
  • SSO configuration changes
  • Role and permission changes
Navigate to Settings > Audit Log to review authentication events. Filter by event type, user, and date range.

Configure SSO

Set up SAML-based single sign-on with your identity provider.

Manage Users and Roles

User provisioning, role assignment, and member management.

User Roles Reference

All 24 platform roles and their access scope.

Permissions Matrix

Detailed feature-by-role permissions breakdown.
Last modified on April 11, 2026