Security

Keeping your account
safe and secure

Best practices and platform features that protect your M-Board account.

Password Security

  • Use a strong, unique password — minimum 8 characters with uppercase, lowercase, numbers, and a special character.
  • Never share your password with anyone, including IT staff — we will never ask for it.
  • Change your password immediately if you suspect it has been compromised.
  • Use a password manager to generate and store complex passwords securely.

Two-Factor Authentication (2FA)

2FA adds a second layer of security. When enabled, you must enter a one-time code sent to your email after entering your password. Enable it under Profile → Security Settings.

2FA is strongly recommended for all members and mandatory for administrators and department managers.

QR Login Security

QR Login is safe by design — your password never leaves your trusted device. For the full flow guide, see QR Login. Key security rules:
  • Only approve QR sessions you have personally initiated on a device you control.
  • Set the shortest duration adequate for the task — do not grant 30-day sessions on shared or unattended devices.
  • A QR session cannot approve another QR login — this chain-session rule is enforced by the platform and cannot be bypassed.
  • Check Active Devices on the QR Login Manager regularly — revoke any session you don't recognise immediately.
  • If you spot unexpected entries in the Past Sessions audit log, treat it as a compromise — revoke all sessions and change your password.

Suspected Compromise

1
Revoke all sessionsGo to Profile → Security → Trusted Devices and click "Revoke All Devices" to sign out every session instantly.
2
Change your passwordGo to Profile → Security → Change Password immediately. Use a strong, unique password you have not used before.
3
Contact ITNotify the IT department at %s with subject [URGENT — SECURITY]. admin@madhunandan.org.in with subject [URGENT — SECURITY].

Device Trust System

M-Board maintains a trusted devices registry. Every time you sign in from a device that is not enrolled, the platform sends a one-time verification code to your email and shows the Verify New Device page. This intercept protects your account even if your credentials are stolen — an attacker cannot proceed without access to your inbox.

1
New-device OTPA 6-digit code is automatically emailed to you. Enter it within 10 minutes. You have up to 5 attempts before the code is invalidated — use the Resend button to request a fresh one.
2
Remember this device?After the OTP is accepted, you are asked whether to enrol the device. Select Yes, Remember and provide a device label (e.g. Work Laptop) to skip the OTP check on future sign-ins from this browser. Select No, Skip to proceed without enrolling — the check will repeat next time.
3
Device enrolment with 2FAIf your account has 2FA enabled, the device-trust prompt appears as an overlay after the OTP step is completed — the flow is the same.
Enrolled devices are listed under Profile → Security → Trusted Devices. You can revoke any device individually or all at once. A revoked device is signed out within one device-guard check cycle (approximately 5 seconds).

Device Session Management

Go to Profile → Security → Trusted Devices to see every enrolled device on your account. Each row shows the device name, last seen timestamp, and enrollment status. Actions you can take:

  • Revoke a single device — signs it out on its next page load (within 5 seconds due to the device guard).
  • Revoke All Devices — signs out every enrolled session at once. Use this if you suspect your account has been accessed without your knowledge.
The platform runs a background device-guard check every 5 seconds on active sessions. A revoked device is automatically signed out within one check cycle — you do not need to wait for the user to take any action.