Back to Docs/Getting Started

Getting Started

Security and MFA

Vilulia uses AWS Cognito for authentication. All users authenticate with email and password. Multi-factor authentication (MFA) via a TOTP authenticator app is available to all roles and can be required by your organization's policy. Account security settings — including MFA enrollment, password changes, login history, and session management — are accessible to every user under Settings → Security.

What you'll learn

  • How to enroll in MFA with a TOTP authenticator app
  • What the login flow looks like when MFA is enabled
  • How to disable MFA if needed
  • How to view your login history and manage active sessions
  • How password changes affect other sessions

MFA enrollment

To enable MFA on your account:

  1. Navigate to Settings → Security and click Set up two-factor authentication.
  2. Vilulia generates a TOTP secret and displays a QR code. Scan the QR code with any TOTP-compatible authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator, or any app that supports the otpauth:// URI format).
  3. Enter the 6-digit code shown in your authenticator app to confirm enrollment. This verifies that the secret was scanned correctly before MFA is activated.

MFA is stored in AWS Cognito against your user account. The secret is never exposed after the initial setup screen — if you lose access to your authenticator app, contact your organization's admin or Vilulia support to reset MFA.

Logging in with MFA

When MFA is enabled, the login flow adds a second step:

  1. Enter your email and password as usual.
  2. If the credentials are correct, you are prompted for your 6-digit TOTP code. Open your authenticator app and enter the current code.
  3. Vilulia validates the code with Cognito. An incorrect code returns an error; you can retry with the next code cycle (codes rotate every 30 seconds).

Failed MFA attempts are recorded in the audit log. Your organization admin can review login history for any user through the admin panel.

Disabling MFA

To disable MFA on your account, navigate to Settings → Security and click Disable two-factor authentication. You will be asked to confirm your identity with either:

  • Your current password (re-authenticates via Cognito), or
  • A current TOTP code from your authenticator app.

This re-authentication step cannot be bypassed. Password changes and MFA changes are also blocked entirely when a Vilulia support session is impersonating your account.

Login history

Settings → Security → Login History shows your recent login attempts, including timestamp, IP address, device type (Desktop, Mobile, or Tablet), and whether the attempt succeeded or failed. Up to 50 recent events are shown. Failed attempts from your own email address appear alongside successful logins so you can detect unauthorized access attempts.

Session management

Vilulia tracks active sessions in addition to Cognito tokens. Each session has its own ID and tracks last-active time. From Settings → Security → Active Sessions you can:

  • View all active sessions with device type and creation time.
  • Revoke any individual session that is not your current session. Revoking a session signs that device out immediately.
  • Revoke all other sessions at once, useful if you believe your account has been accessed from an unfamiliar device.

Sessions have a configurable idle timeout. You can extend your current session while staying logged in using the Extend Session option. To sign out of your current session, use the account menu and select Log out.

Password changes

Changing your password from Settings → Security requires your current password. Passwords must meet the platform minimum: 12 characters with a mix of character types. After a successful password change, all other active sessions are automatically revoked. Your current session remains valid so you are not immediately signed out.

If you have forgotten your password, use the Forgot password link on the login page. Vilulia sends a confirmation code to your registered email. Enter the code along with your new password to complete the reset.

SSO users

If your organization has configured SAML or OIDC single sign-on and SSO enforcement is enabled, password-based login is disabled for your domain. Authentication happens entirely through your identity provider. MFA is then managed by your IdP rather than Vilulia. Tenant admins retain password-based login as a recovery path even when SSO enforcement is active.

Related articles

Can't find what you're looking for? Contact Support

Having trouble with this feature?

Visit the Support Center for troubleshooting guides and how-to articles.

Go to Support Center →