Skip to main content

Account Security

Omnivoo handles sensitive financial and personal data -- salary information, tax details, bank accounts, and government IDs. This guide covers how to keep your account secure.

How Authentication Works

Omnivoo uses a passwordless authentication system. There are no passwords to remember, reset, or leak. Instead, you log in using one of two methods.

Email OTP Login

  1. Go to app.omnivoo.com and enter your email address in the Work email field.
  2. Click Send verification code. Omnivoo sends a 6-digit one-time passcode (OTP) to your email.
  3. Enter the code on the verification screen.
  4. You are logged in.

The OTP expires after 5 minutes. If you do not receive the code, check your spam folder. Omnivoo rate-limits OTP requests to 5 per email address within 10 minutes to prevent abuse.

tip

The OTP is sent to the exact email address you entered. Make sure you are checking the right inbox. Omnivoo emails come from @omnivoo.com.

Google Sign-In

If you prefer, you can sign in with your Google account:

  1. Go to app.omnivoo.com and click Sign in with Google.
  2. Select your Google account and authorize Omnivoo.
  3. You are logged in.

Google sign-in uses your Google account's email to match your Omnivoo account. If you have previously logged in with email OTP using the same email address, both methods work on the same account.

Secondary Email

You can add a secondary email to your account and then log in with either your primary or your secondary address. The new address has to be verified with a one-time code before it works.

You manage it from My Profile (avatar menu > Profile) under the Security section. For step-by-step instructions, see Add a secondary email.

info

A secondary email is an alternate login address, not just a backup contact. After it is verified, an OTP sent to either address can sign you in.

Two-Factor Authentication

For an extra layer of protection, you can turn on two-factor authentication (2FA). With 2FA enabled, signing in also requires a 6-digit code from an authenticator app (or a one-time recovery code).

You enable and manage 2FA from My Profile > Security. See Two-Factor Authentication for the full setup and recovery-code guide.

Logout of All Devices

If you suspect someone else has access to your account, you can end every active session at once:

  1. Open My Profile (avatar menu > Profile).
  2. Expand the Security section.
  3. Click Logout of All Devices and confirm.

This signs you out everywhere, including your current device, and you will need to log in again on each one. See Session & Security for more on how sessions work.

How Sessions Work

Omnivoo uses HTTP-only cookies for authentication. When you log in:

  1. A signed token is stored in an HTTP-only cookie on your browser.
  2. Every request to Omnivoo automatically includes this cookie.
  3. When the access token nears expiry, Omnivoo automatically refreshes it in the background, so you are not interrupted.
  4. If your session is revoked or expires, you are logged out and must log in again.

Because tokens are stored in HTTP-only cookies, they cannot be read by JavaScript running on the page, which protects against cross-site scripting (XSS) attacks.

Security Best Practices

  • Do not share your OTP codes -- Omnivoo support will never ask for a login code.
  • Turn on two-factor authentication -- especially for employer accounts with admin access.
  • Lock your devices -- use a screen lock on any computer or phone where you access Omnivoo.
  • Log out on shared devices -- always sign out when using a shared or public computer, or use Logout of All Devices.
  • Verify emails -- Omnivoo emails come from @omnivoo.com. Be cautious of phishing from other domains.

Account Lockout Protection

To prevent brute-force attacks:

  • After 5 failed attempts on a single OTP, that code is invalidated. You must request a new one.
  • After 15 failed attempts across all codes within 30 minutes, your account is temporarily locked. Wait and try again later.

Data Protection

Omnivoo protects your data with:

  • Encryption in transit: all connections use TLS.
  • Encryption at rest: sensitive data (such as bank details and government IDs) is encrypted in the database.
  • Access controls: role-based permissions limit who can view sensitive information.
  • Data retention: records are retained per applicable legal requirements.

Reporting Security Issues

If you notice suspicious activity on your account or a potential security vulnerability:

  1. Use Logout of All Devices to end every active session immediately.
  2. Contact security@omnivoo.com with details of what you observed.