Xoxoday: Local Authentication for Users and Admins - Xoxoday

Xoxoday supports local authentication protocols for both end users and administrators, with enforced password policies, optional multi-factor authentication, role-based access control, and full login audit logging — no external identity provider required.

Xoxoday supports local authentication protocols as a first-class option for both end users and platform administrators. This makes it suitable for organisations that manage identity in-house or that operate in environments where enterprise identity providers such as Workday or SAP SuccessFactors are not yet integrated alongside Xoxoday. Password Security Xoxoday enforces configurable password complexity rules, including minimum length, character variety requirements, and restrictions on reuse. Common or previously breached passwords are blocked at the point of entry. Password expiration policies can be configured to meet your organisation’s compliance requirements, including those aligned with ISO 27001 or SOC 2 Type II controls. Multi-Factor Authentication Xoxoday supports optional MFA using authenticator apps or TOTP tokens. For organisations deploying Xoxoday alongside communication tools such as Slack or Microsoft Teams, enabling MFA at the platform level adds a consistent authentication layer without requiring changes to your existing identity infrastructure. Role-Based Access Control Access within Xoxoday is governed by role-based access control (RBAC). Standard users, managers, and administrators each operate within clearly defined permission boundaries. Elevated administrative access is restricted to authorised personnel and subject to ongoing monitoring, which is particularly relevant for organisations undergoing SOC 2 Type II audits. Credential Storage and Encryption Xoxoday stores passwords using strong, salted cryptographic hashing algorithms equivalent to bcrypt. Authentication tokens are encrypted and time-bound, expiring after a defined period to limit exposure in the event of interception. Login Monitoring and Account Protection Xoxoday automatically locks accounts after a configurable number of failed login attempts and logs all authentication events for audit and alerting purposes. Optional IP-based restrictions and anomaly detection are available for organisations with stricter access requirements. These controls integrate with broader audit workflows, making it straightforward to produce compliance evidence on demand. Password Recovery and Admin Override Secure password reset flows use email and token-based verification. Administrative overrides are available through the customer support process and require identity verification before access is restored, ensuring recovery workflows do not introduce an uncontrolled access path into your environment. For organisations using Darwinbox, SAP SuccessFactors, or other HCM platforms without a federated SSO setup, Xoxoday’s local authentication framework provides a self-contained, secure login path that meets enterprise security standards without dependency on external identity providers. Learn more: Xoxoday Help Centre — Technical requirement

Does Xoxoday support SSO and SAML authentication?

Learn how Xoxoday integrates with enterprise identity providers via SSO, SAML 2.0, and OIDC for centralised user authentication.

Does Xoxoday support multi-factor authentication (MFA)?

Understand how Xoxoday enforces MFA using TOTP-based authenticator apps to protect user and administrator accounts.