Authentication & Single Sign-On (SSO)
Evenpay uses Auth0 as its identity and authentication platform. Auth0 is a leading identity provider trusted by thousands of organizations worldwide. This article explains the authentication options available to your organization.
Login Methods
By default, Evenpay supports the following login methods:
Method | Description |
Email + Password | Standard login with your email address and a password. Passwords are cryptographically hashed — they are never stored in plain text. |
Google Sign-In | Log in using your Google Workspace or personal Google account. No separate Evenpay password needed. |
Each user account is personal. Login credentials must not be shared between users.
Single Sign-On (SSO)
For organizations that want centralized identity management, Evenpay supports Single Sign-On (SSO) through Auth0. SSO allows your team to log in to Evenpay using the same credentials they use for other company tools — no separate password to remember.
Supported identity providers include:
Identity Provider | Protocol |
Microsoft Entra ID (Azure AD) | SAML 2.0 / OIDC |
Google Workspace | OIDC |
Okta | SAML 2.0 / OIDC |
Other SAML/OIDC providers | Custom configuration available |
When SSO is configured, your organization can restrict access so that users can only log in through your identity provider — email/password login is disabled for your organization.
To set up SSO: Contact Evenpay support. We'll work with your IT team to configure the connection to your identity provider through Auth0.
Multi-Factor Authentication (MFA)
MFA adds an extra layer of security by requiring a second form of verification in addition to your password. Evenpay supports MFA at the organization level — when enabled, all users in the organization must set up MFA before they can access the system.
Available MFA methods:
Method | How it works | Recommended? |
Authenticator App | Time-based one-time codes (TOTP) via apps like Google Authenticator, Authy, or Microsoft Authenticator | Yes — most secure option |
SMS Verification | One-time code sent to a mobile phone number | Acceptable, but less secure than app-based MFA |
Both methods can be enabled simultaneously. We recommend authenticator apps as the primary method, as SMS can be vulnerable to SIM-swapping attacks.
MFA can be configured by Owners and Administrators via Settings → Security. For more details on the MFA configuration interface, see the Security settings article.
Password Security
For users who log in with email and password, Auth0 handles all password management. Key details:
Feature | Detail |
Storage | Passwords are cryptographically hashed — never stored in plain text |
Password reset | Users can reset their password through their identity provider's flow |
Brute force protection | Auth0 automatically detects and blocks suspicious login attempts |
Session Management
User sessions have a limited lifetime. Sessions expire automatically after a period of inactivity, and users can be logged out automatically in suspicious circumstances (e.g., unusual location, anomalous behavior patterns detected by Auth0).
Roles & Access Control
Each user is assigned an organization-specific role that determines what they can see and do within Evenpay. Users can only access data from the organizations they've been granted access to — there is no way to view or modify another organization's data.
Roles are managed by your organization's Owners and Administrators.
Frequently Asked Questions
Can we use our own identity provider (e.g., Microsoft Entra ID)?
Yes. Evenpay supports SSO through Auth0 with any SAML 2.0 or OIDC-compatible identity provider. Contact Evenpay support to set it up.
Can we enforce that users can only log in via SSO?
Yes. Once SSO is configured, your organization can restrict access so that only SSO-based login is allowed — email/password and social logins are disabled for your users.
Is MFA mandatory?
It's optional by default, but we strongly recommend enabling it — especially for organizations handling sensitive compensation data. Any Owner or Administrator can enable the MFA requirement from Settings → Security.
A user lost their authenticator device. What now?
An Owner or Administrator can reset the user's MFA from their profile. The user will be prompted to set up MFA again on their next login.
Updated on: 08/04/2026
Thank you!