Security Center
The layers that keep your identity safe on SSO EA.
Passwordless sign-in
We never use passwords. Each sign-in is a single 6-digit one-time code (OTP) sent to your email or phone — valid for 5 minutes and usable only once.
Encryption & storage
Your email and phone are stored encrypted with AES-256. One-time codes and your security code are stored only as Argon2id hashes — never in plain text.
Transport security
All traffic is forced over HTTPS/TLS (plain HTTP is redirected). Strict transport and content-security headers are applied on every response.
Bot & abuse protection
Cloudflare Turnstile blocks automated abuse. A 4-layer rate limiter (per-account and per-IP) stops code flooding and account enumeration, with constant-time, generic responses.
Device trust
Trusted devices skip only the extra security-code step — a one-time code is always required. Trust lasts 90 days, is bound to a hashed cookie, and is reset whenever you change your security code.
Browser-level hardening
A strict Content-Security-Policy, X-Frame-Options: DENY (anti-clickjacking) and CSRF tokens on every sensitive action protect your session.
Consent & transparency
Apps receive your data only with explicit, per-app consent that you can revoke anytime. We share identity only — never passwords or roles.
Responsible disclosure
Found a vulnerability? Please report it responsibly to contact@ssoea.com — we appreciate it.