Skip to main content

Account Security

Omnivoo handles sensitive financial and personal data -- salary information, tax details, bank accounts, and government IDs. This guide covers how to keep your account secure.

How Authentication Works

Omnivoo uses a passwordless authentication system. There are no passwords to remember, reset, or leak. Instead, you log in using one of two methods:

Email OTP Login

  1. Go to app.omnivoo.com and enter your email address.
  2. Omnivoo sends a 6-digit one-time passcode (OTP) to your email.
  3. Enter the code on the login screen.
  4. You are logged in.

The OTP expires after 5 minutes. If you do not receive the code, check your spam folder. Omnivoo rate-limits OTP requests to 5 per email address within 10 minutes to prevent abuse.

tip

The OTP is sent to the exact email address you entered. Make sure you are checking the right inbox. Omnivoo emails come from @omnivoo.com.

Google OAuth Login

If you prefer, you can sign in with your Google account:

  1. Go to app.omnivoo.com and click Sign in with Google.
  2. Select your Google account and authorize Omnivoo.
  3. You are logged in.

Google OAuth uses your Google account's email to match or create your Omnivoo account. If you have previously logged in with email OTP using the same email address, both methods will be linked to the same account.

Authentication Methods on Your Account

Your account tracks which login methods you have used. This can be:

  • OTP only -- You have only logged in via email OTP.
  • Google only -- You have only logged in via Google OAuth.
  • OTP + Google -- You have used both methods. Either one works for future logins.

Recovery Email

You can set a recovery email as a backup contact for your account:

  1. Go to Profile Settings > Security.
  2. Enter a recovery email address.
  3. Click Save.

The recovery email provides an alternative way for Omnivoo to reach you if your primary email becomes inaccessible. When you update your recovery email, a confirmation notification is sent to your primary email for security awareness.

Active Sessions

View and manage your active login sessions:

  1. Go to Profile Settings > Security > Active Sessions.
  2. You will see a list of your current sessions, including:
    • Browser and device type (e.g., "Chrome on MacBook Pro")
    • Location (based on IP address)
    • When the session was created
    • Which session is your current one
  3. Click Revoke next to any session to log it out remotely.
  4. Click Revoke All Sessions to log out of every session (including your current one).

Review active sessions periodically. If you see a session you do not recognize, revoke it immediately.

How Sessions Work

Omnivoo uses HTTP-only cookies for authentication. When you log in:

  1. A signed JWT (JSON Web Token) is stored in an HTTP-only cookie on your browser.
  2. Every request to Omnivoo automatically includes this cookie.
  3. When the access token expires, Omnivoo automatically refreshes it using a refresh token -- this happens transparently without interrupting your workflow.
  4. If the refresh token has also expired or been revoked, you are logged out and must log in again.

Because tokens are stored in HTTP-only cookies, they cannot be accessed by JavaScript running on the page, which protects against cross-site scripting (XSS) attacks.

Security Best Practices

For All Users

  • Do not share your OTP codes -- Omnivoo support will never ask for a login code.
  • Lock your devices -- Use screen lock on computers and phones where you access Omnivoo.
  • Log out on shared devices -- Always log out when using a shared or public computer.
  • Verify emails -- Omnivoo emails come from @omnivoo.com. Be cautious of phishing emails from other domains.
  • Set a recovery email -- Ensures you have a backup way to recover your account.
  • Review active sessions -- Check periodically and revoke any you do not recognize.

For Employers

  • Review team access regularly: Remove former team members promptly.
  • Use role-based access: Give team members only the permissions they need (Admin, HR, Finance, Viewer).
  • Monitor audit logs: Check Settings > Audit Log for unusual activity.

Account Lockout Protection

To prevent brute-force attacks:

  • After 5 failed OTP attempts on a single code, that code is invalidated. You must request a new one.
  • After 15 failed attempts across all codes within 30 minutes, your account is temporarily locked. Wait and try again later.

Data Protection

Omnivoo protects your data with:

  • Encryption in transit: All connections use TLS 1.2+.
  • Encryption at rest: Sensitive data (bank details, government IDs) is encrypted in the database.
  • Access controls: Role-based permissions limit who can view sensitive information.
  • Audit logging: All access to sensitive data is logged for compliance.
  • Data retention: Records are retained per applicable legal requirements.

Reporting Security Issues

If you notice suspicious activity on your account or a potential security vulnerability:

  1. Revoke all active sessions immediately.
  2. Contact security@omnivoo.com with details of what you observed.

Omnivoo's security team investigates all reported issues within 24 hours.