Back to Login

Security & Authentication

Learn how ASQScholar protects your account and data. Understanding these security features helps you make informed decisions about protecting your educational records.

Authentication Methods

Biometric Authentication (WebAuthn)

Most Secure

Uses your device's fingerprint scanner or face recognition to log you in. Based on the WebAuthn standard, this method is phishing-resistant because your biometric data never leaves your device and cannot be stolen or replayed.

Advantages

  • Completely phishing-resistant
  • No password to remember or type
  • Works offline after initial setup
  • Fast (2-3 seconds to login)
  • Biometrics never leave your device

Considerations

  • Requires compatible device
  • Limited to registered devices
  • Need backup method if device lost
  • Admin users: platform-only (no cross-device)
How to set up: Log in with email/password, go to Profile → Security → Add Biometric Authentication. You can register up to 3 devices per account.

Email & Password

Traditional

Standard username and password authentication. Your primary credential for account access and required before linking other authentication methods. Password must be at least 6 characters.

Advantages

  • Works on any device
  • No special hardware needed
  • Can be reset if forgotten
  • Familiar to all users

Considerations

  • Vulnerable to phishing if reused
  • Can be forgotten
  • Must be typed (slower than biometric)
  • Should be unique to ASQScholar
Important: Never use the same password you use on other websites. If another site is compromised, attackers will try your password here. Use a unique password for ASQScholar.

Google Single Sign-On (SSO)

Convenient

Log in using your existing Google account. Your email is automatically verified, and you benefit from Google's security infrastructure including their 2FA if enabled.

Advantages

  • Fast signup (no email verification)
  • One less password to remember
  • Leverages Google's security
  • Easy for institutional accounts

Considerations

  • Requires Google account
  • Dependent on Google availability
  • Privacy: Google knows you use ASQScholar
  • Should set a password as backup
Account Linking: You can link your Google account to an existing ASQScholar account anytime. This requires password confirmation for security.

Two-Factor Authentication (2FA)

2FA adds a second layer of security by requiring a time-based code from your phone in addition to your password. Even if someone steals your password, they cannot access your account without the code from your device.

How It Works

  1. You log in with your email and password
  2. System asks for a 6-digit code
  3. You open your authenticator app (Google Authenticator, Authy, etc.)
  4. You enter the code shown in the app
  5. Access granted!
User Role 2FA Status Reason
Faculty & Admins REQUIRED Access to grades, exams, and student data requires maximum security
Students RECOMMENDED Protects your academic records and exam submissions
External Reviewers OPTIONAL Limited access scope, SSO typically sufficient
Recovery Codes:

When you enable 2FA, you'll receive 10 backup recovery codes. Store these safely! If you lose your phone, these codes are the only way to regain access without admin assistance.

Security Best Practices

  • 1
    Use a Unique Password Never reuse passwords from other websites. If one site is breached, attackers will try your credentials everywhere.
  • 2
    Enable 2FA (Faculty/Staff: Required) Two-factor authentication stops 99.9% of automated attacks. It's the single most effective security upgrade you can make.
  • 3
    Register Biometric on Your Primary Device Biometric authentication is phishing-proof and faster than typing passwords. Set it up on devices you use regularly.
  • 4
    Keep Recovery Codes Safe Store 2FA recovery codes in a secure location (password manager or offline storage). You'll need them if you lose your phone.
  • 5
    Review Active Sessions Regularly Check your security dashboard for unfamiliar devices or locations. Log out unused sessions to prevent unauthorized access.
  • 6
    Be Skeptical of Login Requests Always check the URL is asqscholar.com before entering credentials. ASQScholar will never email you asking for your password.

Recognizing & Avoiding Threats

Phishing Attacks

Attackers send fake emails or create fake login pages that look like ASQScholar. They trick you into entering your credentials on their site, which they then steal.

Protection: Always verify the URL is asqscholar.com before logging in. Biometric authentication is immune to phishing because credentials never travel over the internet.

Credential Stuffing

Attackers use leaked password databases from other sites and try them on ASQScholar. If you reused a password that was compromised elsewhere, your account is at risk.

Protection: Use a unique password for ASQScholar. Enable 2FA so even if your password is compromised, attackers still can't access your account.

Man-in-the-Middle (Public Wi-Fi)

On unsecured public Wi-Fi, attackers can intercept data between your device and the server, potentially capturing passwords or session cookies.

Protection: ASQScholar uses HTTPS encryption for all connections. Biometric authentication provides additional protection as credentials never transit the network.

Session Hijacking

Attackers steal your session cookie (usually via malware or network attacks) and use it to impersonate you without needing your password.

Protection: Log out from shared computers. Review active sessions in your security dashboard and terminate any you don't recognize. Sessions automatically expire after periods of inactivity.

Role-Based Security Requirements

Role Required Authentication Recommended Additions Session Timeout
Students Email + Password OR SSO Biometric, 2FA 24 hours
Faculty Email + Password + 2FA Biometric (platform-only) 8 hours
Admins Email + Password + 2FA Biometric (platform-only, no cross-device) 8 hours
External Reviewers SSO (institutional) N/A (limited scope) 4 hours
Platform-Only Authenticators:

Faculty and admins must use platform authenticators (built into the device) rather than cross-device authenticators (like USB keys or phones via Bluetooth). This prevents relay attacks where an attacker nearby could intercept authentication requests.

Need Help?

If you're locked out, suspect unauthorized access, or have questions about account security:

📧
Email Support support@asqscholar.com
📚
Documentation Help Center
🔐
Account Recovery Reset Password

Secure Your Account Today

Take 5 minutes to review your security settings and enable recommended protections.

Go to Security Settings