Safer, Faster: How We Rebuilt Esus Login

Signing into Esus is the first thing you do every day. That’s why we rebuilt it from scratch with three goals: get you in faster, verify you’re who you say you are, and resist the attacks that most commonly hit medical accounts.

---

Sign in with Google in one click

You can now use your Google account to sign into Esus. If your email matches an existing account, you’re signed into the same account you already had — no duplicates, no manual migrations. And if you’re new, your workspace is created instantly, with your name and profile picture already in place.

What does this mean in practice? Fewer passwords to remember, zero friction when inviting teammates, and instant sign-in from any device where you’re already signed into Google.

---

Email verification with a 6-digit code

Signing up for Esus now requires one simple thing: confirming the email is yours. When you create the account, we send a 6-digit code to your inbox. You enter it, and you’re signed in automatically — no need to type your password again.

This isn’t just a formality: it’s the barrier that prevents someone from creating accounts under your email (typosquatting, phishing via fake invitations) and the foundation we built the next step on.

---

Recover your password, no support needed

Same mechanics as verification: you request a code, it lands in your inbox, you enter it with your new password, and every active session on other devices is revoked automatically. If your account was locked from failed attempts, the reset unlocks it.

---

What’s next: two-factor at sign-in

The OTP infrastructure that today powers signup and password reset is the same infrastructure we’ll use, very soon, as a second factor at sign-in. It will be optional at first and mandatory for accounts with access to protected data (PHI). Concretely: password + email code → goodbye to 99% of credential-stuffing attacks.

---

Under the hood

A few things you won’t see but that matter:

• Email delivery with automatic retries. Codes go out through an async queue: if our mail provider has a 2-minute outage, your code retries with exponential backoff until it arrives. No more “I didn’t get the email”.
• Refresh token replay detection. If someone tries to reuse an old refresh token (a classic sign of credential theft), we automatically revoke every session for that user and force a re-login.
• Brute-force lockout. 5 failed attempts and the account is locked for 15 minutes. A password reset also unlocks it.
• Resume in your last workspace. If you belong to multiple organizations, we drop you back into whichever one you were using last — no prompt, no friction.
• Expanded healthcheck. Our health endpoint now reports status for the database, Redis, S3 storage, email delivery, job queues, and database backups — every piece watched in real time.

---

Compliance and privacy

All of this is designed with HIPAA in mind:

• Passwords hashed with Argon2id (the OWASP standard), minimum 12 characters with upper/lower/number/symbol complexity.
• 15-minute JWTs + 7-day refresh tokens in HttpOnly cookies (invisible to browser JavaScript, mitigating XSS).
• Every OTP expires in 10 minutes, is stored hashed (SHA-256), and has a cap of 5 attempts per code.
• For users coming in through Google, we inherit their verification — we won’t ask for an OTP on something Google already validated.

---

Available now

The new flow is live in production. Your existing account keeps working exactly the same — no manual migration required. New users go through email verification; existing users keep signing in with their usual password.

Try “Sign in with Google” on the login screen and let us know what you think.