Changelog

Single sign-on for your team

Quackback now supports single sign-on through any OIDC identity provider, alongside two-factor authentication, recovery codes, and a full security audit log. Together they bring Quackback in line with the access controls your security team already enforces on every other tool.

Single sign-on

Connect Quackback to your existing identity provider, including Okta, Auth0, Microsoft Entra, Google Workspace, and Keycloak. Access is governed by the same policies you've already invested in: conditional access, IdP-side MFA, session timeouts, and instant offboarding when someone leaves the company.

You can now:

  • Replace per-tool passwords with your identity provider, so there's one credential to protect and one place to revoke
  • Require SSO per verified email domain or workspace-wide, so no team member can quietly bypass the policy
  • Map IdP groups to Quackback roles, so privileges follow your directory of record and don't drift over time
  • Run a test sign-in end to end before turning enforcement on, so a misconfigured provider can't lock the team out
  • Generate recovery codes as a break-glass option if your IdP ever has an outage

Two-factor authentication

For teams not yet on SSO, TOTP-based 2FA closes the credential-stuffing and phishing gap on password sign-in.

You can now:

  • Enable 2FA from your profile with any authenticator app
  • Require 2FA workspace-wide so every password sign-in is protected by a second factor
  • Reset another team member's 2FA enrollment from the admin when a device is lost or compromised
  • Fall back to one-time recovery codes when an authenticator isn't available

Audit log

Every security-sensitive admin action now writes to an append-only ledger, giving you forensics for incident response and evidence for SOC 2, ISO 27001, and similar reviews.

You can now:

  • Review who toggled SSO, rotated a client secret, reset someone's 2FA, or generated recovery codes, with IP and user-agent on every row
  • Filter by event type, actor, and time range
  • Export the full feed to CSV for auditors

Other improvements

  • Trending is now the default sort on the portal feedback list
  • Verified domains, audit log, and team management tables adapt to mobile
  • New-device sign-in alerts are always on, so account takeovers surface immediately
  • The widget's launcher and placement options work again when installed via script tag

Shipped Features

4
init function doesn't respect launcher and placement settings anymoreIn Progress