Internal Login

Internal login refers to TestOrchestrator's legacy email-and-password authentication method and its lockout, password-reset, and remember-login settings.

Password login has been replaced by passwordless sign-in Users no longer sign in with a password. Everyone authenticates with an email magic link / one-time code, or with Google or GitHub — see Log In. The settings on this page still appear on the Internal tab in Admin → Authentication and can still be saved, but they govern the retired password flow and therefore have no effect on how users sign in today. They are documented here for reference.

Settings reference

All settings are found on the Internal tab under Admin → Authentication. Changes are saved per-section.

Setting Default Range What it does
Internal login enabled On Master toggle for email/password login. When off, the email and password fields are hidden on the login page.
Allow password reset On Shows the "Forgot password?" link on the login page. When off, users cannot self-serve a password reset.
Allow remember login On Shows a "Remember me" checkbox on the login page. When checked by the user, their session persists for 30 days without re-authentication.
Max failed attempts 5 3–20 Number of consecutive incorrect password attempts before the account is temporarily locked.
Lockout duration 15 minutes 1–1440 min How long an account stays locked after reaching the failed attempt limit. The lock clears automatically; no admin action is needed.

Account lockout

When a user exceeds the max failed attempts threshold, their account is locked for the configured lockout duration. The lockout resets automatically — the user simply needs to wait, then try again with the correct password.

Lockout is per-account and does not affect other users. Admins cannot manually clear a lockout; the account unlocks when the timer expires.

Password reset

This setting controlled a "Forgot password?" link in the legacy password flow. With passwordless sign-in there are no passwords to reset — if a user can't get in, they request a fresh sign-in link or code from the login page. The setting has no effect today.

Remember login

When enabled, users see a "Remember me" checkbox on the login page. Checking it creates a 30-day persistent session — the user stays logged in across browser restarts without re-entering credentials.

Security trade-off on shared devices A 30-day session on a shared or public computer gives extended access to anyone using that machine. If your workspace is accessed from shared devices, consider disabling "Allow remember login" to require authentication on every browser session.

Disabling internal login

This toggle historically hid the email/password fields on the login page. Because password login is no longer presented to users in any case, the toggle has no practical effect on the current passwordless sign-in experience. Users continue to sign in with email magic link / one-time code or with Google or GitHub regardless of this setting.