Security and Account Practices

Last updated: May 24, 2026.

Security principles

• Use HTTPS everywhere.
• Store passwords using modern salted password hashing.
• Use secure, HttpOnly cookies for sessions.
• Rate-limit login and sensitive account actions.
• Require stronger protection for admin accounts.
• Verify payment webhooks before issuing licenses.
• Keep downloads behind entitlement checks when needed.
• Publish checksums for installers and release files.

MFA direction

The planned account system should support passkeys and authenticator apps first. A Duo OIDC Universal Prompt adapter is the preferred external MFA integration path for higher-risk account and license actions because it can be connected behind the QuosineDSP account service without making Duo the core customer database.

SMS and voice verification should be treated as fallback methods, not the primary security claim. They require registered and compliant sending channels, are more exposed to phone-number takeover risks, and cannot honestly be described as spam-proof.

License activation

License activation should avoid asking for account passwords inside a DAW. The plugin can show a short pairing code, while the user signs in and completes MFA in the web profile. The server then issues a signed machine auth file for offline-capable use.

Admin protection

Admin routes should be protected by application roles and, preferably, an additional Cloudflare Access policy or equivalent identity layer.

Downloads and updates

Installers should be stored in durable object storage, delivered through signed or entitlement-checked URLs, and accompanied by version notes and checksums.

Reporting security issues

Security concerns can be reported to support@quosine.com with “Security” in the subject.