Does Xoxoday support multifactor authentication (MFA)? - Xoxoday

Xoxoday supports multifactor authentication (MFA) for all administrator and end-user logins, with methods including email OTP, SMS OTP, TOTP via Google Authenticator or Microsoft Authenticator, and push-based MFA through identity providers such as Okta and Duo.

Xoxoday enforces multifactor authentication as a configurable security layer that operates independently of whether your organisation uses single sign-on (SSO). This means every login — whether from an HR admin managing reward budgets or an employee redeeming a gift card — can be protected by a verified second factor. Email-based OTP The default second factor for local logins is a 6-digit one-time password delivered to the user’s registered email address. The code is time-limited with strict retry controls: it expires quickly and is invalidated after a set number of failed attempts. This method requires no additional app installation and works across all device types and operating systems. SMS-based OTP SMS OTP is available upon request for organisations that need it to meet specific compliance mandates. A time-sensitive code is delivered to the user’s registered mobile number during the login flow. This method suits environments where guaranteed email access at login cannot be assumed. Authenticator App (TOTP) Xoxoday supports time-based one-time passwords generated by third-party authenticator apps, including Google Authenticator and Microsoft Authenticator. During setup, users scan a QR code to link their account to the app. A new rotating 6-digit code is then generated every 30 seconds and used as the second factor at login. This method works entirely offline and is well-suited to teams that already use authenticator apps across other enterprise tools. Push-based MFA via Identity Provider For organisations using SSO, Xoxoday honours MFA enforcement configured at the identity provider level. When a user authenticates through Okta, Duo, or Microsoft Entra ID, step-up authentication and push notification challenges are handled natively by the IdP before Xoxoday grants access. This allows security teams to maintain a single, centralised MFA policy across all SaaS applications — including Xoxoday — without duplicating configuration. Backup and Recovery Codes Admins can optionally enable backup verification codes for users who lose access to their primary MFA method. These codes provide a controlled recovery path without requiring helpdesk intervention for every locked-out account. Admin Enforcement and Security Controls MFA enforcement in Xoxoday is role-aware and configurable. Administrators can require MFA based on user role, device type, or risk score — for example, making it mandatory for admins while keeping it optional for standard users. All MFA-related data exchange occurs over TLS-encrypted channels, and OTPs are invalidated immediately after use or after a maximum number of failed attempts, limiting exposure to brute-force and replay attacks. For organisations operating under ISO 27001 or SOC 2 Type II compliance frameworks, Xoxoday’s MFA controls support access control requirements and contribute to the audit trail generated for all login events. Learn more: Xoxoday Help Centre — Technical requirement

Does Xoxoday support SSO?

Learn how Xoxoday integrates with SAML 2.0 and OIDC-based identity providers for single sign-on across your organisation.

How does Xoxoday protect data in transit?

Understand how Xoxoday uses TLS encryption to secure all data exchanged between users and the platform.