Authentication Events

Authentication Events

Authentication Events

Article Type: Concept
Audience: Enterprise Administrators
Module: Enterprise Admin - Access Control
Applies to Versions: All Versions

1. Overview

The Authentication Events screen provides Enterprise Administrators with comprehensive visibility into all authentication activities across the entire Fuuz Enterprise. This centralized security audit log captures every authentication attempt, API key generation, token verification, and identity provider interaction for all users, applications, and systems within your organization.

Authentication Events serve as the primary tool for security investigations, compliance auditing, troubleshooting user access issues, and monitoring potential security threats. All events are logged in real-time with 180-day retention and can be exported without row limits for external analysis or long-term archival.

Important: This feature is accessible exclusively to users with Enterprise Admin access type. Authentication Events span all Organizations and Applications within the Enterprise, providing complete visibility across your entire deployment.
Key Capabilities: Real-time event logging, 180-day retention, unlimited export capability, automatic account lockout after 5 failed attempts, customizable alerting via Data Flows, and integration with external SIEM and compliance systems.

Who Should Use This Feature

  • Enterprise Administrators: Primary security and compliance monitoring
  • Security Teams: Investigating suspicious authentication patterns or security incidents
  • Compliance Officers: Generating audit reports for SOC 2, ISO 27001, and regulatory requirements
  • IT Support: Troubleshooting user login and access issues
  • API Administrators: Monitoring API key usage and authentication failures

Common Use Cases

  • Troubleshooting user login issues and account lockouts
  • Security investigations following suspected breaches or unusual activity
  • Audit compliance reporting for regulatory frameworks
  • Monitoring API usage patterns and authentication failures
  • Tracking user access across applications and environments
  • Identifying compromised credentials or brute force attacks
  • Verifying identity provider integration functionality

2. Architecture & Data Flow

Event Logging Architecture

Authentication Events are captured at the enterprise service mesh layer, ensuring comprehensive logging regardless of the authentication method, application, or entry point. Every authentication attempt generates an event record that includes timestamp, event type, status, user information, IP address (for external logins), identity provider, and failure reason (if applicable).

Events are logged synchronously in real-time, meaning that as soon as an authentication attempt completes, the event is immediately available in the Authentication Events screen. There is no batch processing delay or asynchronous logging queue that might delay event visibility.

Authentication Event Types

Event Type Description Triggered By
Authentication Standard user login attempt via username and password User login form submission
CompareSecret Password verification during authentication Login process, password change validation
GenerateAPIKey Creation of new API key for programmatic access User or administrator generating API key
Initialization Initial authentication session establishment First login, session creation
InvalidAuthentication Failed authentication attempt with invalid credentials Incorrect username or password
Recovery Password reset or account recovery process Forgot password workflow, account unlock
SetSecret Password creation or change operation Initial password setup, password change
TokenRefresh JWT token renewal during active session Automatic token refresh, session extension
VerifyApiKey API key authentication validation API request with API key credentials
VerifyToken JWT token validation for authenticated request Each authenticated API or UI request
VerifyTokenExpired Detection of expired JWT token Expired session, stale token usage

Event Statuses

  • Success: Authentication attempt completed successfully and access was granted
  • Failure: Authentication attempt failed due to invalid credentials, expired tokens, or other authentication errors
  • Incomplete: Authentication process started but did not complete (user abandoned, timeout, system error)

Failure Reasons

Failure reasons are captured as free-text descriptions that provide specific detail about why an authentication attempt failed. Common failure reasons include:

  • Authentication failed: jwt expired - JWT token has exceeded its validity period
  • jwt expired - Shortened form indicating token expiration
  • Invalid credentials - Username or password incorrect
  • Account locked - User account locked due to failed attempts
  • API key invalid - API key does not exist or has been revoked
  • Additional system-generated messages describing specific authentication failures

Account Lockout Mechanism

The Fuuz Platform implements automatic account lockout protection to prevent brute force attacks. After 5 consecutive failed login attempts, the user account is automatically locked and cannot authenticate until an Enterprise Administrator manually unlocks the account through the Enterprise Users screen.

Important: The 5-failure threshold applies to standard authentication attempts. Account lockout does not automatically reset after a time period - it requires administrative intervention to unlock. This ensures that potential security threats are reviewed by administrators before access is restored.

3. Use Cases

Security Investigation

Scenario: Multiple failed login attempts detected from unfamiliar IP addresses

Investigation Steps:

  1. Filter Authentication Events by Status = Failure and Event Type = InvalidAuthentication
  2. Review IP Address column to identify suspicious source locations
  3. Check Username column to determine if attacks target specific accounts or are random
  4. Export filtered results to CSV for detailed analysis and reporting
  5. If compromised credentials suspected, immediately reset affected user passwords
  6. Set up Data Flow alert to notify security team of future high-frequency failures from same IP ranges

Troubleshooting User Access Issues

Scenario: User reports inability to log in and receiving error messages

Troubleshooting Steps:

  1. Navigate to Authentication Events and search for the user by username or select from User dropdown
  2. Review recent authentication attempts to identify failure patterns
  3. Check Failure Reason column for specific error messages (expired token, invalid credentials, account locked)
  4. If account locked, navigate to Enterprise Users screen to unlock the account
  5. If repeated VerifyTokenExpired events, advise user to clear browser cache and re-login
  6. If API key issues, verify API key is valid and has not been revoked

Compliance Audit Reporting

Scenario: Annual SOC 2 audit requires evidence of authentication monitoring and access control

Reporting Steps:

  1. Set date range to cover the audit period (e.g., January 1 - December 31)
  2. Export all authentication events to Excel for comprehensive audit trail
  3. Filter by specific Applications or Users if audit scope is limited
  4. Generate summary reports showing total authentication attempts, success rate, and lockout incidents
  5. Document account lockout mechanism and administrative unlock procedures
  6. Provide evidence of real-time logging and 180-day retention policy

API Usage Monitoring

Scenario: Monitor API key authentication patterns to identify unusual usage or potential API key compromise

Monitoring Steps:

  1. Filter by Event Type = VerifyApiKey to isolate API authentication events
  2. Review User Api Key column to track usage of specific API keys
  3. Check IP Address patterns for unexpected geographic locations
  4. Monitor for high-frequency API calls that might indicate automated attacks or runaway processes
  5. Filter by Status = Failure to identify API keys that are no longer valid
  6. Set up Data Flow to export API authentication events to external monitoring system

Identity Provider Verification

Scenario: Verify that OIDC or SAML identity provider integration is functioning correctly

Verification Steps:

  1. Filter by Identity Provider column to view authentication events for specific IdP
  2. Review success vs failure rates to identify integration issues
  3. Check that external IdP users show correct Identity Provider (not "Internal")
  4. Verify token refresh patterns are consistent with IdP token expiration settings
  5. Monitor for VerifyTokenExpired events that might indicate IdP token lifecycle issues

4. Screen Details

Accessing Authentication Events

Navigation Path:

Enterprise Admin Home → System → Access Control → Authentication Events

Required Permissions:

  • Access Type: Enterprise Admin (exclusive access - not available to App Admins or Developers)
  • Visibility Scope: All Organizations and Applications across the entire Enterprise

Filter Options

Filter Field Type Description
Start Date / End Date Date Range Picker Filter events by date/time range; no maximum range limit; defaults to most recent events
Authentication Event Type Dropdown (Multi-select) Select one or more event types (Authentication, VerifyApiKey, TokenRefresh, etc.)
Authentication Event Status Dropdown (Multi-select) Filter by Success, Failure, or Incomplete status
Username Free Text Search Enter partial or full username for text matching; case-insensitive
User Dropdown List Select from list of known Enterprise Users; more precise than Username text search
Tenant (Application) Dropdown (Multi-select) Filter events by specific Application (also referred to as Tenant in some interfaces)
Identity Provider Dropdown (Multi-select) Filter by authentication provider (Internal, OIDC, SAML, or configured IdP names)
Initiated By User Dropdown Filter events initiated by specific user (useful for administrative actions)
User Api Key Text Search Search for events using specific API key identifier
Note: The Username filter uses free-text pattern matching and may return partial matches, while the User dropdown provides exact user selection. For precise user filtering, use the User dropdown. For broader searches or when the exact username is uncertain, use the Username text field.

Table Columns

Column Content
Created At Timestamp of authentication event (MM/DD/YYYY HH:MM AM/PM format)
Authentication Event Type Specific event classification (11 types listed in Architecture section)
Authentication Event Status Success, Failure, or Incomplete
Username Username of the user attempting authentication
User Full user display name or identifier from Enterprise User record
Tenant (Application) Application name where authentication occurred
Role Role associated with user authentication (if applicable)
Token Id Unique identifier for the JWT token generated or verified
User Api Key API key identifier used for authentication (for API requests)
IP Address Source IP address for external authentication attempts (not captured for internal services)
Failure Reason Free-text description of why authentication failed (only populated for Failure status)
Identity Provider Authentication provider used (Internal, OIDC, SAML, or configured IdP name)





Export Functionality

Authentication Events can be exported to CSV or Excel formats for external analysis, archival, or integration with other systems. There are no row limits on exports - the system will export all records matching your current filter criteria regardless of volume.

Export Process:

  1. Apply desired filters to narrow the data set (recommended for large exports)
  2. Click the export button in the toolbar
  3. Select CSV or Excel format
  4. Download file will include all columns and all rows matching the filter
Best Practice: For exports covering large date ranges or high-traffic applications, consider filtering by Application, date range, or event type to create manageable export files. While there is no technical row limit, extremely large exports may take time to generate and download.

5. Technical Details

Data Retention Policy

Authentication Events are retained for 180 days from the date the event was created. After 180 days, events are automatically purged from the system. Organizations requiring longer retention periods should implement automated export workflows using Data Flows to archive authentication data to external systems or data warehouses.

Important: The 180-day retention policy is a platform constraint and cannot be extended through configuration. For compliance requirements exceeding 180 days, establish automated export processes to external archival systems.

Real-Time Event Logging

All authentication events are logged synchronously in real-time. When an authentication attempt completes, the event record is immediately written to the authentication log and is instantly available in the Authentication Events screen. There is no batch processing delay or queuing mechanism that might defer event visibility.

This real-time architecture ensures that security investigations and troubleshooting activities have access to the most current authentication data without waiting for log processing cycles.

IP Address Tracking

IP addresses are captured for all external authentication attempts initiated from client browsers or external API consumers. Internal service-to-service authentication (such as Gateway-to-Platform or scheduled Data Flow execution) does not capture IP addresses since these requests originate from within the platform infrastructure.

The IP Address field is valuable for identifying geographic patterns in authentication attempts, detecting suspicious login locations, and correlating failed authentication attempts from specific IP ranges that might indicate coordinated attacks.

Identity Provider Integration

Any identity provider configured for your Enterprise will appear in the Identity Provider column and filter options. This includes:

  • Internal: Standard Fuuz username/password authentication
  • OIDC Providers: OpenID Connect integrations (Azure AD, Okta, Google Workspace, etc.)
  • SAML Providers: SAML 2.0 enterprise identity providers
  • Custom IdPs: Any organization-specific identity provider configurations

Each configured identity provider will display using the name assigned during the IdP configuration process, making it easy to filter and analyze authentication patterns by provider.

Alert and Notification Integration

Administrators can establish automated alerting for authentication events using Data Flows. Common alerting patterns include:

  • High-Frequency Failures: Alert when more than X failed attempts occur within Y minutes
  • Geographic Anomalies: Notify when authentication attempts originate from unexpected IP ranges or countries
  • Account Lockouts: Immediate notification when user accounts are automatically locked
  • API Key Issues: Alert on repeated API key authentication failures
  • After-Hours Access: Notify on authentication attempts outside of normal business hours

Data Flows can also push authentication events to external systems including SIEM platforms, compliance databases, or ticketing systems for centralized security monitoring.

Compliance and Audit Requirements

Authentication Events fulfill audit logging requirements for multiple compliance frameworks:

  • SOC 2 Type II: Demonstrates comprehensive logging and monitoring of logical access controls
  • ISO 27001: Provides evidence of access control monitoring and security event logging
  • GDPR: Supports data access auditing and breach detection requirements
  • HIPAA: Documents access attempts to systems containing protected health information
  • NIST 800-53: Satisfies audit and accountability control families

The real-time logging, comprehensive event capture, and exportability features ensure that Authentication Events meet the most stringent audit and compliance requirements across industries.

6. Resources

Enterprise Admin:

  • Enterprise Admin Overview
  • Enterprise Users Management
  • Access Control Policies
  • Identity Provider Configuration (OIDC/SAML)
  • API Key Management

Security & Compliance:

  • Security Best Practices
  • Account Lockout and Recovery Procedures
  • Compliance Reporting Guide
  • Data Flow Alert Configuration

Integration:

  • Data Flow Connectors Overview
  • Exporting Data to External Systems
  • SIEM Integration Patterns

7. Troubleshooting

Issue Cause Resolution
Cannot access Authentication Events screen User does not have Enterprise Admin access type Contact another Enterprise Administrator to grant Enterprise Admin access type to your user account
User reports locked out of account 5 or more failed authentication attempts triggered automatic lockout Review Authentication Events for the user to confirm lockout cause, then unlock account via Enterprise Users screen
Missing events from specific date range Events older than 180 days have been automatically purged Check external archival systems if automated exports were configured; otherwise data is permanently deleted
IP Address column blank for some events Authentication originated from internal platform services Expected behavior - IP addresses only captured for external authentication attempts; internal service authentication does not log IP
Export appears incomplete or missing rows Filters were applied before export that limited results Clear all filters and re-export to get complete dataset; verify date range covers desired period
Identity Provider shows "Internal" but user has SSO User authenticated with username/password instead of SSO flow Verify IdP configuration is correct; ensure user is accessing correct SSO login URL; user may be bypassing SSO
High volume of VerifyTokenExpired events Token expiration settings too aggressive or browser caching issues Review token lifetime settings; advise users to clear browser cache; check if IdP token expiration is properly configured
Unusual pattern of failed API key authentication Compromised or expired API key being used Revoke suspect API key immediately; review IP addresses for attack pattern; generate new API key; notify affected system owners
Cannot find specific user's authentication events Username spelling incorrect or events outside 180-day retention Verify correct username spelling; use User dropdown instead of Username text field for exact match; check date range

8. Revision History

Version Date Editor Description
1.0 2025-12-29 Craig Scott Initial Release

    • Related Articles

    • Enterprise Admin Overview

      Article Type: Concept Audience: Enterprise Administrators, IT Management, Executive Sponsors Module: Enterprise Admin Applies to Versions: Fuuz 2024.1+ 1. Overview The Enterprise Admin interface represents the highest level of administrative control ...

    • API Keys

      Managing API Keys Article Type: Configuration / How-To Audience: Enterprise Administrators Module: Access Control Applies to Versions: All Versions Estimated Time: 15-20 minutes 1. Overview API Keys provide secure, programmatic access to the Fuuz ...

    • Enterprise Users

      Managing Enterprise Users Article Type: Concept / How-To Audience: Enterprise Administrators Module: Enterprise Admin - Enterprise Users Applies to Versions: Fuuz 2024.1+ 1. Overview Enterprise Users are the foundational user records in the Fuuz ...

    • Access Requests

      App Access Requests Article Type: Configuration / How-To Audience: Application Administrators, Enterprise Administrators Module: Access Control Applies to Versions: All Versions 1. Overview App Access Requests provide a governed workflow for granting ...

    • Applications (Tenants)

      Managing Applications (Tenants) Article Type: Concept / How-To Audience: Enterprise Administrators Module: Enterprise Admin - Environment Structure Applies to Versions: Fuuz 2024.1+ 1. Overview Applications (historically referred to as "Tenants") are ...