Security & 2FA
Dialer.CX includes multiple layers of security to protect your call center operations, customer data, and system credentials. This page covers authentication hardening, encryption, access control, and session management.
Two-Factor Authentication (2FA)
Section titled “Two-Factor Authentication (2FA)”Dialer.CX supports two 2FA methods for enhanced login security. When enabled, users must provide a second verification factor after entering their password.
Authenticator App (TOTP)
Section titled “Authenticator App (TOTP)”The recommended method — works offline and is resistant to email interception:
- Go to your account settings
- Click Enable 2FA
- Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
- Enter the 6-digit verification code to confirm setup
- Future logins require your password + a fresh authenticator code
Email 2FA
Section titled “Email 2FA”A fallback method for users who do not have an authenticator app configured:
- A 6-digit verification code is sent to the user’s registered email address
- The code must be entered within 10 minutes before it expires
- Automatic fallback when TOTP is not configured for the account
Admin Controls
Section titled “Admin Controls”Administrators can manage 2FA across the organization:
- Force 2FA enrollment for all users — new users are required to set up 2FA on first login
- Reset 2FA for individual users who have lost their authenticator device
- View enrollment status — see which users have 2FA enabled and which method they use
- Exemptions — temporarily exempt specific accounts if needed during onboarding
Encryption
Section titled “Encryption”Data at Rest
Section titled “Data at Rest”- All API keys and third-party credentials are encrypted before storage
- Encryption is automatic — credentials are encrypted when saved and decrypted only when needed by the application
- Database-stored secrets (AI provider keys, SMTP passwords, SIP credentials) are never stored in plaintext
Data in Transit
Section titled “Data in Transit”- All web traffic uses HTTPS/TLS — HTTP requests are redirected automatically
- Browser softphone uses encrypted signaling (TLS) and encrypted voice (SRTP) for all WebRTC calls
- Email delivery uses STARTTLS encryption when supported by the receiving mail server
- AMI connections to the PBX use authenticated TCP sessions
Recording Access
Section titled “Recording Access”- Call recordings are protected with HMAC-SHA256 signed tokens
- Tokens are time-limited and expire after 8 hours
- No sequential IDs are exposed in URLs — each access request requires a cryptographically signed token, preventing enumeration attacks
Role-Based Access Control
Section titled “Role-Based Access Control”Four access tiers ensure users only see the pages and data relevant to their responsibilities:
| Role | User Level | Access |
|---|---|---|
| Agent | 1—4 | Dashboard, Agent Workspace, Callbacks |
| Supervisor | 5—6 | + Monitoring, Recordings, Reports, Wallboard |
| Manager | 7—8 | + Campaigns, Lists, Contacts, Inbound, Operations |
| Admin | 9 | Full access to all features and settings |
Access control is enforced at two layers:
- Frontend — the sidebar navigation only renders links the user’s role permits
- Backend — every API route checks the user’s role from their JWT token and rejects unauthorized requests
Session Management
Section titled “Session Management”- JWT-based sessions with HS256 signing — tokens cannot be forged without the server secret
- Sessions expire after 8 hours of inactivity by default (configurable in system settings)
- Active sessions are tracked in the database and can be revoked immediately by an administrator
- All login and logout events are recorded in the Login History log with timestamps and IP addresses