Authentication & Security

8 min read Intermediate Updated: 1/10/2026

Secure your account with 2FA, OAuth login, and magic links

Security is crucial for protecting your business data and customer information. BarberSlot provides multiple authentication methods and security features to keep your account safe.

Login Methods

BarberSlot supports three ways to access your account:

1. Email & Password (Traditional)

The classic login method:

  • Email address as username
  • Strong password (minimum 8 characters)
  • Optional 2FA for extra security

Best for: Primary account access

2. Social Login (OAuth)

Quick login using your existing accounts:

  • Google: Sign in with Google
  • Facebook: Sign in with Facebook
  • Apple: Sign in with Apple

Benefits:

  • No password to remember
  • Faster login process
  • Automatically verified email
  • One less password to manage

Best for: Quick access, mobile devices

Email-based passwordless authentication:

  • Enter your email
  • Receive login link via email
  • Click link to access account
  • Link expires in 15 minutes

Best for: Forgotten password, temporary access

Two-Factor Authentication (2FA)

2FA adds an extra layer of security by requiring a second verification step after entering your password.

Why Enable 2FA?

  • 🔒 99.9% protection against unauthorized access
  • 🛡️ Required for tenant owners (enforced after 30 days)
  • 📊 Protects sensitive data: customer info, booking history, revenue
  • ⚠️ Prevents account takeover even if password is compromised

How 2FA Works

sequenceDiagram
  User->>BarberSlot: Enter email + password
  BarberSlot->>User: Password correct ✓
  BarberSlot->>User: Prompt for 6-digit code
  User->>Authenticator App: Open app
  Authenticator App->>User: Show 6-digit code
  User->>BarberSlot: Enter code
  BarberSlot->>User: Access granted ✓

Setting Up 2FA

Step 1: Access Security Settings

  1. Go to Settings → Security
  2. Find “Two-Factor Authentication” section
  3. Click “Enable 2FA”

Step 2: Install Authenticator App

Choose one of these apps (free):

  • Google Authenticator (iOS/Android)
  • Microsoft Authenticator (iOS/Android)
  • Authy (iOS/Android/Desktop)
  • 1Password (if you use it)

Step 3: Scan QR Code

  1. Open your authenticator app
  2. Tap “Add Account” or ”+”
  3. Scan the QR code displayed in BarberSlot
  4. Account is added automatically

Step 4: Verify Setup

  1. App generates a 6-digit code
  2. Enter the code in BarberSlot
  3. Click “Verify and Enable”
  4. 2FA is now active! ✓

Step 5: Save Backup Codes

⚠️ CRITICAL: BarberSlot provides 10 backup codes

  • Download and print them immediately
  • Store in a safe place (password manager, safe)
  • Each code works only once
  • Use if you lose access to authenticator app

Example backup codes:

1. ABCD-EFGH-IJKL
2. MNOP-QRST-UVWX
3. YZ12-3456-7890
... (7 more)

Using 2FA Daily

Standard login flow:

  1. Enter email + password
  2. System prompts for 6-digit code
  3. Open authenticator app
  4. Enter current code (refreshes every 30 seconds)
  5. Access granted

Tips:

  • ✅ Code changes every 30 seconds - use it quickly
  • ✅ Don’t share codes (defeats purpose of 2FA)
  • ✅ Keep backup codes secure
  • ❌ Don’t screenshot QR code (security risk)

Lost Access to Authenticator?

If you lose your phone or authenticator app:

Option 1: Use Backup Code

  1. Click “I don’t have my authenticator”
  2. Enter one of your 10 backup codes
  3. Access granted
  4. ⚠️ Immediately re-setup 2FA with new device

Option 2: Contact Support

  1. Email support@barberslot.com
  2. Provide: account email, shop name, last login date
  3. Support verifies your identity
  4. 2FA is reset (takes 24-48 hours for security)

Disabling 2FA

Only disable if absolutely necessary:

  1. Go to Settings → Security
  2. Click “Disable 2FA”
  3. Enter current 6-digit code (or backup code)
  4. Confirm disable

⚠️ Note: Tenant owners must keep 2FA enabled (compliance requirement)

Social Login (OAuth)

Connecting Social Accounts

Google Login:

  1. Go to Settings → Connected Accounts
  2. Click “Connect Google”
  3. Authorize BarberSlot to access basic profile
  4. Account connected ✓

Facebook Login:

  1. Go to Settings → Connected Accounts
  2. Click “Connect Facebook”
  3. Log in to Facebook
  4. Grant permissions
  5. Account connected ✓

Apple Login:

  1. Go to Settings → Connected Accounts
  2. Click “Connect Apple”
  3. Authenticate with Face ID/Touch ID
  4. Choose email to share (can hide real email)
  5. Account connected ✓

Benefits of Connecting Multiple Methods

Once connected, you can login using any method:

  • Email + Password + 2FA
  • Google one-click login
  • Facebook one-click login
  • Apple one-click login

Recommended: Connect at least 2 methods (backup if one fails)

Disconnecting Social Accounts

  1. Go to Settings → Connected Accounts
  2. Find connected account
  3. Click “Disconnect”
  4. Confirm

⚠️ Warning: Ensure you have another login method before disconnecting

Magic links provide temporary passwordless access.

  • Forgot password and need quick access
  • Traveling without access to 2FA device
  • Temporary login from public computer
  • Password reset
  1. Go to login page
  2. Click “Send Magic Link”
  3. Enter your email
  4. Check email inbox
  5. Click link in email
  6. Automatic login (link expires in 15 minutes)
  • ✅ Expires after 15 minutes
  • ✅ One-time use only
  • ✅ Tied to specific browser/device
  • ✅ Includes anti-phishing verification
  • ❌ Don’t forward magic links to others

Password Management

Password Requirements

Strong passwords must have:

  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character (!@#$%^&*)

Good password example: Barber$hop2026! Bad password example: password123

Changing Your Password

  1. Go to Settings → Security
  2. Click “Change Password”
  3. Enter current password
  4. Enter new password (2x for confirmation)
  5. Click “Update Password”
  6. All active sessions are logged out (security measure)

Password Reset (Forgotten)

  1. Go to login page
  2. Click “Forgot Password?”
  3. Enter your email
  4. Check email for magic link
  5. Click link
  6. Set new password
  7. Login with new password

Security note: Reset links expire after 24 hours

Rate Limiting & Account Protection

BarberSlot automatically protects against brute-force attacks:

Failed Login Protection

After 5 failed login attempts:

  • Account is temporarily locked (15 minutes)
  • Email notification sent
  • Login attempts logged with IP address

What to do:

  • Wait 15 minutes
  • Verify you’re using correct password
  • Check for CAPS LOCK
  • Reset password if needed

IP-Based Blocking

Suspicious activity triggers IP blocks:

  • Multiple failed logins from same IP
  • Automated bot detection
  • Geographic anomalies (login from new country)

If blocked incorrectly:

  1. Email support@barberslot.com
  2. Provide: email, current location, ISP
  3. Block removed within 1-2 hours

Session Management

Active Sessions

View all active login sessions:

  1. Go to Settings → Security → Active Sessions
  2. See list of:
    • Device type (Desktop, Mobile, Tablet)
    • Browser
    • IP address
    • Location (approximate)
    • Last activity

Logging Out Remote Sessions

If you see unfamiliar session:

  1. Click “Revoke” next to that session
  2. Session is immediately terminated
  3. User is logged out
  4. Change your password immediately

Logout All Devices

Emergency logout:

  1. Go to Settings → Security
  2. Click “Logout All Devices”
  3. All sessions terminated (except current)
  4. Requires re-login everywhere

Security Best Practices

Do’s ✅

  1. Enable 2FA immediately (highest priority)
  2. Use unique password (not reused from other sites)
  3. Save backup codes in secure location
  4. Connect multiple login methods (redundancy)
  5. Review active sessions monthly
  6. Update password every 6 months
  7. Use password manager (1Password, Bitwarden, LastPass)
  8. Logout from shared computers

Don’ts ❌

  1. Don’t share passwords (even with staff)
  2. Don’t reuse passwords across multiple sites
  3. Don’t write passwords on sticky notes
  4. Don’t disable 2FA unless required
  5. Don’t ignore security emails (verify it’s not phishing)
  6. Don’t login on public WiFi without VPN
  7. Don’t save passwords in browser on shared computers

Compliance & Requirements

Tenant Owner Requirements

If you manage multiple shops (tenant owner):

  • 2FA is mandatory within 30 days of account creation
  • Cannot disable 2FA
  • GDPR compliance required
  • Audit logs maintained

GDPR & Data Access

All authentication events are logged:

  • Login attempts (successful/failed)
  • IP addresses
  • Device information
  • 2FA activations/deactivations

Your rights:

  • Request authentication logs
  • Delete authentication history
  • Export data (see GDPR Guide)

Troubleshooting

Problem: “2FA code not working”

  • Ensure device time is synchronized (automatic time)
  • Code changes every 30 seconds - use quickly
  • Check you’re entering from correct account in app

Problem: “Magic link expired”

  • Links expire after 15 minutes
  • Request new link
  • Check spam folder

Problem: “Account locked after failed attempts”

  • Wait 15 minutes
  • Clear browser cache
  • Try incognito/private mode
  • Reset password if forgotten

Problem: “Social login not working”

  • Verify account is connected (Settings → Connected Accounts)
  • Clear browser cookies
  • Try different browser
  • Reconnect social account

Video Tutorial

Watch our security setup guide (5 minutes):

[Video placeholder - Coming soon]

Next Steps

Now that your account is secure:

  1. Complete profile setup: Onboarding Guide
  2. Configure your calendar: Calendar Guide
  3. Understand GDPR compliance: GDPR Guide

Questions about security? Email security@barberslot.com

Was this guide helpful?

Help us improve our documentation with your feedback.