Internal Login
Internal login refers to TestOrchestrator's legacy email-and-password authentication method and its lockout, password-reset, and remember-login settings.
Password login has been replaced by passwordless sign-in Users no longer sign in with a password. Everyone authenticates with an email magic link / one-time code, or with Google or GitHub — see Log In. The settings on this page still appear on the Internal tab in Admin → Authentication and can still be saved, but they govern the retired password flow and therefore have no effect on how users sign in today. They are documented here for reference.
Settings reference
All settings are found on the Internal tab under Admin → Authentication. Changes are saved per-section.
| Setting | Default | Range | What it does |
|---|---|---|---|
| Internal login enabled | On | — | Master toggle for email/password login. When off, the email and password fields are hidden on the login page. |
| Allow password reset | On | — | Shows the "Forgot password?" link on the login page. When off, users cannot self-serve a password reset. |
| Allow remember login | On | — | Shows a "Remember me" checkbox on the login page. When checked by the user, their session persists for 30 days without re-authentication. |
| Max failed attempts | 5 | 3–20 | Number of consecutive incorrect password attempts before the account is temporarily locked. |
| Lockout duration | 15 minutes | 1–1440 min | How long an account stays locked after reaching the failed attempt limit. The lock clears automatically; no admin action is needed. |
Account lockout
When a user exceeds the max failed attempts threshold, their account is locked for the configured lockout duration. The lockout resets automatically — the user simply needs to wait, then try again with the correct password.
Lockout is per-account and does not affect other users. Admins cannot manually clear a lockout; the account unlocks when the timer expires.
Password reset
This setting controlled a "Forgot password?" link in the legacy password flow. With passwordless sign-in there are no passwords to reset — if a user can't get in, they request a fresh sign-in link or code from the login page. The setting has no effect today.
Remember login
When enabled, users see a "Remember me" checkbox on the login page. Checking it creates a 30-day persistent session — the user stays logged in across browser restarts without re-entering credentials.
Security trade-off on shared devices A 30-day session on a shared or public computer gives extended access to anyone using that machine. If your workspace is accessed from shared devices, consider disabling "Allow remember login" to require authentication on every browser session.
Disabling internal login
This toggle historically hid the email/password fields on the login page. Because password login is no longer presented to users in any case, the toggle has no practical effect on the current passwordless sign-in experience. Users continue to sign in with email magic link / one-time code or with Google or GitHub regardless of this setting.