Skip to main content
PensionsPortal.ie currently authenticates users with email and password via Auth.js. This page documents the current MFA status, the privileged access controls that compensate for the absence of platform-native MFA, and the roadmap for stronger authentication.

Current MFA Status

Platform-native MFA (TOTP, WebAuthn, SMS) is not yet implemented in the application layer. Trustees and broker administrators must apply compensating controls at the identity provider and device level until platform MFA is available.
MFA is enforced at the infrastructure layer through Cloudflare Zero Trust for administrative access to Vercel, Neon, and Sentry dashboards. Application-layer MFA for end users is on the product roadmap.

Compensating Controls

Until application-layer MFA ships, the following controls reduce the risk of credential compromise:

Cloudflare Zero Trust

Administrative access to Vercel, Neon, and Sentry is gated behind Cloudflare Access with identity-provider MFA enforced at login.

bcrypt Password Hashing

All passwords are stored as bcrypt hashes. Even if the database were exfiltrated, passwords cannot be recovered without brute-force computation.

JWT Session Expiry

JWTs expire after a configurable period. Sessions are not indefinitely persistent.

AI Change Proposal Guardrail

All AI-suggested data mutations require explicit broker approval and attestation before execution — a second human check on every sensitive change.

Privileged Access Roles

PensionsPortal.ie defines four roles, with admin and broker constituting privileged access:
RoleAccess LevelNotes
SuperAdmin / adminFull platformNo broker/employer scope restriction. Can access all tenants.
BrokerAdmin / brokerBroker-scopedFull access within their brokerId. Cannot cross tenant boundaries.
BrokerUser / brokerBroker-scopedSame as BrokerAdmin at the data layer; UI may restrict certain actions.
Trustee / employerEmployer-scopedRead/limited write within their employerId.
SuperAdmin accounts must be strictly limited. There should be no more than two SuperAdmin accounts per deployment, owned by named individuals with documented justification.

Privileged Access Procedures

  • SuperAdmin provisioning is performed via the tenant-provisioning-cli tool by a named operator, not via the application UI.
  • Password resets for privileged accounts go through the /api/auth/forgot-password flow, which sends a time-limited reset link to the registered email address.
  • Account offboarding requires immediate deletion or deactivation of the user record in the database. There is no built-in “suspend” state — the user row must be removed or the role downgraded.

MFA Roadmap

The following application-layer MFA options are planned:
  1. TOTP (Time-based One-Time Password) — authenticator app support (Google Authenticator, Authy) for broker and admin roles
  2. WebAuthn / Passkeys — phishing-resistant hardware key or device biometric authentication
  3. Email OTP — one-time codes via Resend for lower-privilege roles
Trustees should raise MFA requirements with their PensionsPortal.ie account manager. The roadmap is subject to change based on regulatory guidance from the Pensions Authority.

Administrative Access to Infrastructure

SystemAccess Control
Vercel dashboardCloudflare Access + IdP MFA
Neon PostgreSQLCloudflare Access + IdP MFA
Sentry dashboardCloudflare Access + IdP MFA
GitHub repositoryGitHub organisation SSO + MFA enforced
Cloudflare dashboardCloudflare account MFA