Back to All Guides
Security Guide

Account Security & Authentication

Complete guide to securing your XShift AI account with multi-factor authentication, password management, and security best practices.

6 Security Topics
Enterprise-Grade Protection

Login Methods

Email & Password Login

Standard login method for all users

Steps:
  1. 1Go to xshift.ai/login
  2. 2Enter your email address
  3. 3Enter your password
  4. 4If MFA is enabled (HEAD_MANAGER only), enter 6-digit code from authenticator app
  5. 5Click "Log In"
  6. 6Session lasts 7 days before requiring re-login
Tips:
  • Password must be minimum 8 characters
  • Use a unique password (not used on other sites)
  • Session auto-expires after 7 days for security

Multi-Factor Authentication (MFA)

Required for HEAD_MANAGER accounts, optional for EMPLOYEE and MANAGER

Set Up MFA (TOTP)

Enable time-based one-time password authentication

Steps:
  1. 1Log in to your account
  2. 2Go to Settings > Security (HEAD_MANAGER) or Profile > Security
  3. 3Click "Enable MFA"
  4. 4Download Google Authenticator or Authy app on your phone
  5. 5Scan the QR code with your authenticator app
  6. 6Enter the 6-digit code from the app
  7. 7Save backup codes in a safe place (important!)
  8. 8Click "Enable" to activate MFA
Tips:
  • Backup codes allow access if you lose your phone
  • Each code refreshes every 30 seconds
  • Store backup codes securely (password manager or safe)
  • Recommended apps: Google Authenticator, Authy, Microsoft Authenticator

Test MFA Code

Verify your MFA setup is working

Steps:
  1. 1During MFA setup, before clicking "Enable"
  2. 2Click "Test Code" button
  3. 3Enter current 6-digit code from authenticator app
  4. 4System will verify the code works
  5. 5If successful, proceed to enable MFA
Tips:
  • Always test before enabling to avoid lockout
  • Make sure your phone's time is accurate
  • Code changes every 30 seconds

Disable MFA

Turn off two-factor authentication

Steps:
  1. 1Log in with your current MFA code
  2. 2Go to Settings > Security
  3. 3Click "Disable MFA"
  4. 4Enter your password to confirm
  5. 5Enter current MFA code
  6. 6Click "Disable" to turn off MFA
Tips:
  • Only HEAD_MANAGER can disable their own MFA
  • Not recommended for security reasons
  • You can re-enable MFA anytime

Password Management

Password Requirements

Security standards for passwords

Steps:
  1. 1Minimum 8 characters
  2. 2Mix of letters, numbers, and symbols recommended
  3. 3Cannot be a commonly used password
  4. 4Should be unique to XShift AI
  5. 5Cannot be same as email address
Tips:
  • Use a password manager (LastPass, 1Password, Bitwarden)
  • Don't reuse passwords from other sites
  • Change password every 90 days for extra security
  • Never share your password with anyone

Reset Forgotten Password

Recover access if you forgot your password

Steps:
  1. 1Go to xshift.ai/login
  2. 2Click "Forgot Password?" link
  3. 3Enter your email address
  4. 4Click "Send Reset Link"
  5. 5Check your email inbox (and spam folder)
  6. 6Click the reset link in the email
  7. 7Enter new password (twice to confirm)
  8. 8Click "Reset Password"
  9. 9Log in with your new password
Tips:
  • Reset link expires in 1 hour
  • Can request new link if expired
  • Email sent from noreply@xshift.ai
  • If MFA enabled, you'll still need your MFA code to log in

Change Password (While Logged In)

Update your password from account settings

Steps:
  1. 1Log in to your account
  2. 2Go to Settings > Security or Profile > Security
  3. 3Find "Change Password" section
  4. 4Enter current password
  5. 5Enter new password
  6. 6Confirm new password
  7. 7Click "Update Password"
Tips:
  • Must know current password to change it
  • If you forgot current password, use "Reset Password" instead
  • All sessions are logged out after password change
  • You'll need to log in again with new password

Session Management

Active Sessions

How XShift AI manages your login sessions

Steps:
  1. 1Sessions stored as HTTP-only cookies (secure)
  2. 2Session expires after 7 days of inactivity
  3. 3Can extend session by clicking "Stay logged in"
  4. 4Logging out clears session immediately
  5. 5Changing password logs out all sessions
Tips:
  • Don't check "Stay logged in" on shared computers
  • Sessions are device-specific
  • Clear browser cookies to force logout
  • Session cookie name: "session" (encrypted)

Logout

End your session securely

Steps:
  1. 1Click your profile icon (top right)
  2. 2Click "Log Out"
  3. 3Session is immediately cleared
  4. 4You're redirected to login page
  5. 5Must log in again to access account
Tips:
  • Always log out on shared/public computers
  • Closing browser tab doesn't log you out
  • Session remains active until you log out or it expires

Email Verification

Verify Email Address

Confirm your email during signup

Steps:
  1. 1During signup, enter your email address
  2. 2System sends 6-digit verification code to your email
  3. 3Check your inbox (and spam folder)
  4. 4Enter the 6-digit code on verification screen
  5. 5Code expires in 15 minutes
  6. 6Click "Verify" to confirm email
  7. 7If expired, click "Resend Code"
Tips:
  • Check spam/junk folder if code doesn't arrive
  • Can resend code unlimited times
  • Email must be verified before account creation completes
  • Use a work email, not personal

Security Features

Built-In Security Protections

Automatic security features protecting your account

Steps:
  1. 1CSRF Protection: Prevents unauthorized requests
  2. 2Rate Limiting: Blocks brute force login attempts
  3. 3Password Hashing: Passwords encrypted with bcrypt (12 rounds)
  4. 4HTTP-Only Cookies: Session tokens not accessible to JavaScript
  5. 5Security Headers: CSP, HSTS, X-Frame-Options enabled
Tips:
  • These protections are automatic - no setup required
  • Rate limiting: Max 5 failed login attempts per minute
  • Passwords never stored in plain text
  • All sessions encrypted with JWT tokens

Account Security Best Practices

Recommendations to keep your account secure

Steps:
  1. 1Enable MFA if you're a HEAD_MANAGER (required)
  2. 2Use strong, unique password (12+ characters)
  3. 3Never share login credentials
  4. 4Don't use "Stay logged in" on shared computers
  5. 5Log out after each session on public computers
  6. 6Keep email account secure (used for password resets)
  7. 7Update password every 90 days
Tips:
  • Use a password manager to generate strong passwords
  • Enable MFA on your email account too
  • Report suspicious activity to support immediately
  • Don't click links in suspicious emails claiming to be from XShift AI

Security Warning

XShift AI will NEVER ask for your password via email, phone, or text message. If you receive suspicious communications claiming to be from XShift AI:

  • Do not click any links
  • Do not provide your password or MFA codes
  • Forward suspicious emails to security@xshift.ai
  • Always verify the sender email address ends in @xshift.ai

Related Guides

Quick Start Guide

Get started with XShift AI in 10 minutes

Organization Settings

Configure security and notification preferences

Secure Your Scheduling Software with MFA & Login Protection | XShift AI