Login with Single Use Token (email 2FA)
The Login with Single Use Token plugin adds a two-factor authentication (2FA) layer to the login of ACCELERO operators. When enabled for an operator, after entering the correct username and password, the login is not completed immediately: the system sends a single access link to the operator's email. Only by clicking that link is access to the system made effective.
The additional factor is the Single Use Token — a random, single-use code with a short validity, embedded in a link sent by email. This ensures that, even if the password is compromised, the login is only completed by whoever has access to the operator's email inbox.
This feature is delivered as a plugin (singleusetoken) and must be installed and enabled by the IONGRADE technical team. Contact support to check compatibility with your ACCELERO version.
Current plugin version: 0.0.1 — compatible with ACCELERO 2.16.8 or higher.
What the plugin does
| Feature | What happens in ACCELERO |
|---|---|
| 2FA per operator | Adds the Login with Single Use Token option to each operator's record; the second factor applies only to the marked operators |
| Link sent by email | After the correct username and password, generates a single-use token and sends an access link to the operator's email |
| Login completion via the link | The login is only made effective when the operator clicks the received link, within the validity period |
| Single-use and expirable token | The token is discarded after the first use and expires automatically after a short time |
Protects sensitive accounts (administrators, operators with access to critical data) against improper access even in case of a leaked password, without relying on external authenticator apps — all it takes is the operator's email.
Enable 2FA for an operator
Navigation path: Operators > Edit
In the operator editing form, the plugin adds the Login with Single Use Token control (an on/off toggle button), shown right after the operator enablement field.
| Field | Description |
|---|---|
| Login with Single Use Token | When enabled, the operator starts requiring the second factor (link by email) at each login. When disabled, the login follows the standard flow (username and password only) |
Operator editing form (Operators > Edit) with the Login with Single Use Token toggle button highlighted.
The access link is sent to the email registered on the operator. Operators with 2FA enabled must have a valid email in their record — without an email, the operator does not receive the link and cannot complete the login.
How login with Single Use Token works
For an operator with the option enabled, the login now has two steps:
- Username and password — the operator enters the credentials normally on the login screen.
- Token generation and sending — once the credentials are validated, the system generates a random single-use token, builds an access link and sends it by email to the operator. The screen shows the message:
"An access link has been sent to your email. Click the link to access the system."
- Completion via the link — the operator opens the email (subject "Access link") and clicks the ACCESS ACCELERO button. The system validates the token and, if valid, makes the session effective and redirects to the main screen.
Login screen showing the message "An access link has been sent to your email. Click the link to access the system." after the operator entered username and password.
Email received by the operator, with the subject "Access link" and the ACCESS ACCELERO button.
Token validity and single use
| Characteristic | Behavior |
|---|---|
| Single use | The token is invalidated immediately after being used. The same link does not work twice |
| Expiration | The token has a short validity (by default, 60 seconds after generation). Once the period expires, the link stops working |
| Invalid or expired link | When accessing an invalid, already used or expired link, the system does not make the login effective and redirects to the home screen (/), without a specific error message |
The link is valid for a few seconds by default. Instruct operators to open the email and click the link immediately after receiving it. If the period expires, just redo the login (username and password) to generate a new link.
The token's validity time is defined in the plugin code (60 seconds in the current version) and there is no configuration screen to adjust it. Changes depend on the IONGRADE technical team.
Use cases
Require 2FA for administrators
- Request the installation of the
singleusetokenplugin from IONGRADE. - Confirm that the administrator operators have a valid email registered.
- In
Operators > Edit, enable Login with Single Use Token for each operator who should use the second factor. - Save. On the next login, these operators will receive the access link by email.
Day-to-day login of a protected operator
- The operator enters username and password on the login screen.
- Receives the message that a link has been sent to their email.
- Opens the "Access link" email and clicks ACCESS ACCELERO.
- Is redirected already authenticated to the ACCELERO main screen.
Best practices
- Reliable and up-to-date email: make sure the operator's email is correct and accessible before enabling 2FA — it is through it that the second factor arrives.
- Apply to sensitive accounts: enable the feature preferably for profiles with administrative access or to critical data, rather than all operators.
- Working email server: since the login depends on sending email, verify that ACCELERO is sending messages correctly before enabling the feature en masse.
- Click quickly: instruct operators to use the link as soon as it is received, due to the token's short validity.
Troubleshooting
The operator does not receive the access link
Possible causes:
- Missing or incorrect email in the operator's record
- ACCELERO's email server/service unavailable or misconfigured
- Message went to spam/junk mail
Solution:
- Check the email registered in
Operators > Edit. - Check ACCELERO's email sending configuration.
- Ask the operator to check the spam folder.
The link says it does not work / goes back to the login screen
Possible causes:
- The link was already used (single use)
- The validity period expired
- The link was changed/truncated when copied from the email
Solution:
- Redo the login (username and password) to generate a new link.
- Click the link immediately after receiving it.
- Use the ACCESS ACCELERO button in the email instead of copying the URL manually.
The operator logs in directly, without receiving an email
Possible causes:
- The Login with Single Use Token option is not enabled for this operator
Solution:
- In
Operators > Edit, confirm that the Login with Single Use Token button is on. - Save and test again.
Integration with other modules
Operators
2FA is configured per operator in the Operators record. The Login with Single Use Token option is stored as an attribute of the operator and the email used to send the link is the email of that same record.