Authentication
Supported authentication methods
The five ways LeaseWizard authenticates users, from email + password + MFA to enterprise OIDC SSO.
LeaseWizard issues its own short-lived JWTs once the user is authenticated. The identity step itself can happen in one of five ways:
| Method | Flow | When it applies |
|---|---|---|
| Email + password + MFA email code | Password, then a 6-digit code sent to the user's email (mandatory second factor). | Default for any user without SSO. |
| Passwordless email code | User enters email; LeaseWizard sends a one-time code; user logs in with the code. | Available to all users. |
| Google OIDC | Click "Continue with Google" — user authenticates against Google. | Available for users whose email is linked to a Google account. |
| Microsoft OIDC (shared app) | Click "Continue with Microsoft" — user authenticates against Microsoft Identity Platform via a LeaseWizard-owned app registration (common tenant). | Available to any Microsoft work or personal account; limited identity claims. |
| Enterprise OIDC SSO | Per-organization OIDC connection against the customer's own IdP (Entra ID, Okta, Ping, Keycloak, Auth0, etc.). | This is the enterprise path. See Enterprise SSO. |
Only users who are members of at least one LeaseWizard organization can complete login. A successful IdP authentication without a matching organization membership is rejected.