Authentication & MFA
niil supports several authentication methods, so your organization can choose the right balance of security and convenience.
Methods
- Password — email + password, with secure server-side credential storage.
- Email one-time code (MFA) — a 6-digit code sent to your inbox after the password. On by default, set per organization (Organization → Security). The code is only ever delivered by email — never shown in the browser.
- Passkeys (WebAuthn / FIDO2) — sign in with your device's biometrics or PIN, or a hardware security key. Passkeys are discoverable, so you don't need to type your email. Manage them in your profile.
- Social sign-in (OAuth) — Google, Microsoft, GitHub (whichever your operator enables). Link/unlink providers in your profile, keeping at least one working method.
How MFA and passkeys interact
A passkey login is itself a strong second factor — it proves possession of your device plus a biometric/PIN. So when you sign in with a passkey, niil does not additionally ask for the email one-time code. Password logins, by contrast, are followed by the email code when your org requires MFA.
Keep a backup method
Before removing all passwords or unlinking your last social provider, make sure you have another way in (a passkey, a password, or a linked provider).
Sessions
Authenticated sessions use a secure, HTTP-only cookie, marked Secure behind HTTPS. Signing out ends the session. Each request is authorised against your identity and organization.