Security is crucial for protecting your business data and customer information. BarberSlot provides multiple authentication methods and security features to keep your account safe.
Login Methods
BarberSlot supports three ways to access your account:
1. Email & Password (Traditional)
The classic login method:
- Email address as username
- Strong password (minimum 8 characters)
- Optional 2FA for extra security
Best for: Primary account access
2. Social Login (OAuth)
Quick login using your existing accounts:
- Google: Sign in with Google
- Facebook: Sign in with Facebook
- Apple: Sign in with Apple
Benefits:
- No password to remember
- Faster login process
- Automatically verified email
- One less password to manage
Best for: Quick access, mobile devices
3. Magic Link (Passwordless)
Email-based passwordless authentication:
- Enter your email
- Receive login link via email
- Click link to access account
- Link expires in 15 minutes
Best for: Forgotten password, temporary access
Two-Factor Authentication (2FA)
2FA adds an extra layer of security by requiring a second verification step after entering your password.
Why Enable 2FA?
- 🔒 99.9% protection against unauthorized access
- 🛡️ Required for tenant owners (enforced after 30 days)
- 📊 Protects sensitive data: customer info, booking history, revenue
- ⚠️ Prevents account takeover even if password is compromised
How 2FA Works
sequenceDiagram
User->>BarberSlot: Enter email + password
BarberSlot->>User: Password correct ✓
BarberSlot->>User: Prompt for 6-digit code
User->>Authenticator App: Open app
Authenticator App->>User: Show 6-digit code
User->>BarberSlot: Enter code
BarberSlot->>User: Access granted ✓
Setting Up 2FA
Step 1: Access Security Settings
- Go to Settings → Security
- Find “Two-Factor Authentication” section
- Click “Enable 2FA”
Step 2: Install Authenticator App
Choose one of these apps (free):
- Google Authenticator (iOS/Android)
- Microsoft Authenticator (iOS/Android)
- Authy (iOS/Android/Desktop)
- 1Password (if you use it)
Step 3: Scan QR Code
- Open your authenticator app
- Tap “Add Account” or ”+”
- Scan the QR code displayed in BarberSlot
- Account is added automatically
Step 4: Verify Setup
- App generates a 6-digit code
- Enter the code in BarberSlot
- Click “Verify and Enable”
- 2FA is now active! ✓
Step 5: Save Backup Codes
⚠️ CRITICAL: BarberSlot provides 10 backup codes
- Download and print them immediately
- Store in a safe place (password manager, safe)
- Each code works only once
- Use if you lose access to authenticator app
Example backup codes:
1. ABCD-EFGH-IJKL
2. MNOP-QRST-UVWX
3. YZ12-3456-7890
... (7 more)
Using 2FA Daily
Standard login flow:
- Enter email + password
- System prompts for 6-digit code
- Open authenticator app
- Enter current code (refreshes every 30 seconds)
- Access granted
Tips:
- ✅ Code changes every 30 seconds - use it quickly
- ✅ Don’t share codes (defeats purpose of 2FA)
- ✅ Keep backup codes secure
- ❌ Don’t screenshot QR code (security risk)
Lost Access to Authenticator?
If you lose your phone or authenticator app:
Option 1: Use Backup Code
- Click “I don’t have my authenticator”
- Enter one of your 10 backup codes
- Access granted
- ⚠️ Immediately re-setup 2FA with new device
Option 2: Contact Support
- Email support@barberslot.com
- Provide: account email, shop name, last login date
- Support verifies your identity
- 2FA is reset (takes 24-48 hours for security)
Disabling 2FA
Only disable if absolutely necessary:
- Go to Settings → Security
- Click “Disable 2FA”
- Enter current 6-digit code (or backup code)
- Confirm disable
⚠️ Note: Tenant owners must keep 2FA enabled (compliance requirement)
Social Login (OAuth)
Connecting Social Accounts
Google Login:
- Go to Settings → Connected Accounts
- Click “Connect Google”
- Authorize BarberSlot to access basic profile
- Account connected ✓
Facebook Login:
- Go to Settings → Connected Accounts
- Click “Connect Facebook”
- Log in to Facebook
- Grant permissions
- Account connected ✓
Apple Login:
- Go to Settings → Connected Accounts
- Click “Connect Apple”
- Authenticate with Face ID/Touch ID
- Choose email to share (can hide real email)
- Account connected ✓
Benefits of Connecting Multiple Methods
Once connected, you can login using any method:
- Email + Password + 2FA
- Google one-click login
- Facebook one-click login
- Apple one-click login
Recommended: Connect at least 2 methods (backup if one fails)
Disconnecting Social Accounts
- Go to Settings → Connected Accounts
- Find connected account
- Click “Disconnect”
- Confirm
⚠️ Warning: Ensure you have another login method before disconnecting
Magic Links
Magic links provide temporary passwordless access.
When to Use Magic Links
- Forgot password and need quick access
- Traveling without access to 2FA device
- Temporary login from public computer
- Password reset
Requesting a Magic Link
- Go to login page
- Click “Send Magic Link”
- Enter your email
- Check email inbox
- Click link in email
- Automatic login (link expires in 15 minutes)
Magic Link Security
- ✅ Expires after 15 minutes
- ✅ One-time use only
- ✅ Tied to specific browser/device
- ✅ Includes anti-phishing verification
- ❌ Don’t forward magic links to others
Password Management
Password Requirements
Strong passwords must have:
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character (!@#$%^&*)
Good password example: Barber$hop2026!
Bad password example: password123
Changing Your Password
- Go to Settings → Security
- Click “Change Password”
- Enter current password
- Enter new password (2x for confirmation)
- Click “Update Password”
- All active sessions are logged out (security measure)
Password Reset (Forgotten)
- Go to login page
- Click “Forgot Password?”
- Enter your email
- Check email for magic link
- Click link
- Set new password
- Login with new password
Security note: Reset links expire after 24 hours
Rate Limiting & Account Protection
BarberSlot automatically protects against brute-force attacks:
Failed Login Protection
After 5 failed login attempts:
- Account is temporarily locked (15 minutes)
- Email notification sent
- Login attempts logged with IP address
What to do:
- Wait 15 minutes
- Verify you’re using correct password
- Check for CAPS LOCK
- Reset password if needed
IP-Based Blocking
Suspicious activity triggers IP blocks:
- Multiple failed logins from same IP
- Automated bot detection
- Geographic anomalies (login from new country)
If blocked incorrectly:
- Email support@barberslot.com
- Provide: email, current location, ISP
- Block removed within 1-2 hours
Session Management
Active Sessions
View all active login sessions:
- Go to Settings → Security → Active Sessions
- See list of:
- Device type (Desktop, Mobile, Tablet)
- Browser
- IP address
- Location (approximate)
- Last activity
Logging Out Remote Sessions
If you see unfamiliar session:
- Click “Revoke” next to that session
- Session is immediately terminated
- User is logged out
- Change your password immediately
Logout All Devices
Emergency logout:
- Go to Settings → Security
- Click “Logout All Devices”
- All sessions terminated (except current)
- Requires re-login everywhere
Security Best Practices
Do’s ✅
- Enable 2FA immediately (highest priority)
- Use unique password (not reused from other sites)
- Save backup codes in secure location
- Connect multiple login methods (redundancy)
- Review active sessions monthly
- Update password every 6 months
- Use password manager (1Password, Bitwarden, LastPass)
- Logout from shared computers
Don’ts ❌
- Don’t share passwords (even with staff)
- Don’t reuse passwords across multiple sites
- Don’t write passwords on sticky notes
- Don’t disable 2FA unless required
- Don’t ignore security emails (verify it’s not phishing)
- Don’t login on public WiFi without VPN
- Don’t save passwords in browser on shared computers
Compliance & Requirements
Tenant Owner Requirements
If you manage multiple shops (tenant owner):
- 2FA is mandatory within 30 days of account creation
- Cannot disable 2FA
- GDPR compliance required
- Audit logs maintained
GDPR & Data Access
All authentication events are logged:
- Login attempts (successful/failed)
- IP addresses
- Device information
- 2FA activations/deactivations
Your rights:
- Request authentication logs
- Delete authentication history
- Export data (see GDPR Guide)
Troubleshooting
Problem: “2FA code not working”
- Ensure device time is synchronized (automatic time)
- Code changes every 30 seconds - use quickly
- Check you’re entering from correct account in app
Problem: “Magic link expired”
- Links expire after 15 minutes
- Request new link
- Check spam folder
Problem: “Account locked after failed attempts”
- Wait 15 minutes
- Clear browser cache
- Try incognito/private mode
- Reset password if forgotten
Problem: “Social login not working”
- Verify account is connected (Settings → Connected Accounts)
- Clear browser cookies
- Try different browser
- Reconnect social account
Video Tutorial
Watch our security setup guide (5 minutes):
[Video placeholder - Coming soon]
Next Steps
Now that your account is secure:
- Complete profile setup: Onboarding Guide
- Configure your calendar: Calendar Guide
- Understand GDPR compliance: GDPR Guide
Questions about security? Email security@barberslot.com