Hi there, During the security review of Fleet, I need to provide the below details. Can someone help here?   1: The Admin password is stored securely and in an encrypted manner in the DB? 2: Will there be a multi factor authentication support? 3: How many admin user accounts are supported? 4: When does the cookies gets timed out and flushed? (I haven't re-logged in quite sometime).

https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/7-Security-best-practices.md has answers to many of those questions

Pardon jumping on to this thread, but… the nice thing about local accounts having MFA is to satisfy/check the box of security access controls that say use separate read only and r/w accounts

If folks are keen on that, please feel free to file an issue so that we can keep it in mind when planning.

I got most of the details for my queries from the above link. It has information on session timeouts and all. But it do not convey explicit information on cookies and its expiry. Is that as well the same?

It's admin-configurable: https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/7-Security-best-practices.md#authentication-tokens