Sign in

User login

An authenticated user logs into the CRM application using username/email and password, optionally completing MFA verification.

When this happens: You go to the application URL.

Step by step

  1. 1

    Enter username or email and password. Optionally checks Remember Me.

    EasyCRM detects the user is not authenticated; displays the Login page with Username/Email, Password, and Remember Me fields.

  2. 2

    Click Sign In.

    EasyCRM checks that both fields are non-empty. Looks up the user by username or email. EasyCRM verifies the password against the stored bcrypt hash. EasyCRM checks if the account is locked (brute-force protection). EasyCRM checks if the account is active. EasyCRM determines if MFA is enabled for the user. MFA is not enabled — continues to step 8. (If MFA is enabled — see .) EasyCRM checks if the user's password has expired (max age policy). Password is valid — continues to step 9. (If expired — see .) Issues JWT access token and refresh token. Sets tokens in HTTP-only secure cookies. Resets the failed login attempt counter to 0. EasyCRM takes you to the role-based default dashboard.

Other paths

MFA verification required

If MFA is enabled for you. System issues a short-lived MFA challenge token and displays the MFA Verification screen with a 6-digit TOTP code field. Open their authenticator app and enters the current 6-digit code. EasyCRM checks the TOTP code with ±1 time-step tolerance (30-second window). Code is valid — continues from main flow step 8.

Password expired

If password has exceeded the maximum age. If within the 7-day grace period — displays a non-blocking warning banner: Your password has expired. Please change it soon Continues from step 9. If the grace period has also expired — redirects user to the Change Password screen. User cannot access any other page until password is changed. Enter current password, new password, and confirm new password. EasyCRM checks against password policy and history. On success — continues from main flow step 9.

Remember me selected

If if Remember Me was checked, sets the refresh token expiry to 30 days instead of the default 14 days.

First login (temporary password)

If detects the MustChangePassword flag is set. EasyCRM takes you to the Change Password screen. Enter temporary password as the current password, sets a new password. EasyCRM checks the new password against policy. On success, clears the MustChangePassword flag. Continues from step 9.

MFA enrollment forced

If MFA is enforced for the your role but you has not enrolled. EasyCRM takes you to MFA Enrollment screen. User completes MFA enrollment per UC-1.2. After successful enrollment, continues from main flow step 8.

If something goes wrong

Invalid credentials

If credentials are invalid. Increments the failed attempt counter for the account. EasyCRM shows: Invalid username/email or password (Generic message — does not reveal which field is wrong.)

Account locked

If account is locked (failed attempts ≥ threshold). EasyCRM shows: Account is temporarily locked. Please try again after [N] minutes or contact your administrator

Account deactivated

If account is deactivated (). EasyCRM shows: Your account has been deactivated. Please contact your administrator

Invalid MFA code

At , TOTP code is invalid. EasyCRM shows: Invalid verification code Increments failed attempt counter. If failed attempts reach lockout threshold — account locked ().

All recovery codes exhausted

At AF-1a.4, all 10 recovery codes have been used. EasyCRM shows: All recovery codes have been used. Please contact your administrator to reset MFA

Single-session policy conflict

If single-session policy is active and you has an existing session. System invalidates all previous refresh tokens. Previous session(s) receive 401 on next API call, forcing re-login.

Good to know

  • A maximum of 5 (configurable) consecutive failed attempts triggers a 15-minute (configurable) lockout.
  • Login is permitted using either username or email address.
  • MFA is mandatory for Admin role; configurable for other roles.
  • JWT access token uses RS256 signing; refresh tokens are rotated on each use.