Security

KanzleiSynchron protects client data with modern sign-in: a password plus an optional second factor, passkeys for passwordless sign-in, and self-service recovery for forgotten passwords. This page covers what every user and firm admin can set up — and what is honestly still in progress.

Where you set this up

Every user manages their own security factors under Settings → Security (/settings/security). No one else — not even an admin — ever sees your secrets.

Sign-in

You sign in with email and password. If a user has enrolled a second factor, KanzleiSynchron asks for it at sign-in (an authenticator code or a recovery code). Without a successful second factor, no session is granted — sign-in fails closed if anything goes wrong.

Passwords are never stored in plain text. They are hashed with Argon2id, the current industry standard against password guessing.

Two-factor authentication (2FA)

Any user can enroll a second factor under Settings → Security:

• Authenticator app (TOTP) — scan a QR code with an app such as Google Authenticator, 1Password, or Aegis, then confirm the 6-digit code. From then on, that code is required at every sign-in.
• 10 one-time recovery codes — generated during 2FA setup and shown once. Print them or store them safely. If you lose your authenticator device, sign in with one of these codes (“Use a recovery code”). Each code works exactly once; regenerating replaces the entire old set.

You can enable, disable, or regenerate recovery codes yourself at any time.

Not yet mandatory for everyone

2FA is enrollable and is required at sign-in once a user has set it up — but it is not (yet) mandatory for all users, and sensitive actions such as period close do not yet require an extra security level. A firm-wide 2FA requirement and step-up for sensitive actions are planned.

Passkeys (Face ID, Touch ID, security keys)

Passkeys enable passwordless sign-in — with Face ID, Touch ID, or a hardware security key instead of a password.

• Set up under Settings → Security: tap “Add passkey” and confirm the device prompt. You can register multiple passkeys (e.g. laptop and phone); enrolled passkeys can be removed again.
• Sign in on the sign-in page via “Sign in with a passkey” — no password needed.

Passkeys are phishing-resistant: the secret never leaves your device and cannot be captured by a fake page.

Practical flow

Set up your first passkey while signed in with a password. After that, you can sign in with the passkey alone. A passkey is a passwordless sign-in method, not a separate second factor — there is no dedicated “passkey-as-2FA” surface yet.

Account recovery

If access is lost, there is a layered recovery ladder — from self-service up to admin help:

1. Forgot password — on /recover, enter your email; KanzleiSynchron sends a code you use to set a new password.
2. Recovery code — lost your authenticator device? At the 2FA prompt, choose “Use a recovery code” and enter one of your 10 codes.
3. Email verification — new accounts confirm their address via /verify-email. Delivery runs over real SMTP (email delivery).
4. Admin-assisted 2FA reset — if the codes are exhausted too, a firm admin can reset a locked-out user’s second factor under Settings → Team. The user then signs in with their password and enrolls a fresh factor.

Safe by design

An admin can restore access but never learns the user’s new factor — resets only clear credentials, they never set a secret. Every reset is recorded in the audit log (MFA_RESET_BY_ADMIN). Always verify the person’s identity on a second channel (call, video, in person) before a reset.

Security foundations

Building block	What it means
Identity store: Ory Kratos	Credentials (password hashes, TOTP secrets, recovery codes, passkeys) live in a dedicated, open-source identity system — separate from the accounting data.
Password hashing: Argon2id	Passwords are hashed with the current, memory-hard standard — never stored in plain text.
Session cookie: HttpOnly, same-origin	The sign-in session lives in an HttpOnly cookie that JavaScript cannot read, and is only sent to your own domain.
Immutable audit trail (GoBD)	Significant actions are recorded in a hash-chain that makes after-the-fact changes detectable — the basis for GoBD-aligned traceability (see GoBD & period close).

What we deliberately do not claim

KanzleiSynchron is a bookkeeping and reconciliation tool, not a regulated payment institution. We do not describe the product as “GoBD-certified”, “PSD2-compliant”, or “BaFin-regulated”. Strong sign-in here is a trust and quality argument, not a legal obligation on KanzleiSynchron.

What is planned

Marked honestly so you know what you can rely on today:

• Firm-wide 2FA requirement — an admin policy that mandates 2FA for everyone (or specific roles), with a grace period. Planned.
• Step-up for sensitive actions — additionally binding period close and administration to a second security level. Planned.
• Audit events for self-service 2FA — enabling/disabling your own 2FA does not yet write an audit event today (admin resets do). Planned.
• Passkey-as-second-factor — passkeys today serve passwordless sign-in; a dedicated surface to treat a second passkey explicitly as a backup factor does not exist yet. Planned.

Next step

More on traceability: Audit trail and GoBD & period close. For roles and access management: Manage team.