Authenticating with Google or Microsoft
The only way to sign-up and log-in to the Figures platform is to connect with a Google Workspace or Microsoft 365 account. Under the hood, those connection methods use the industry-standard protocol for authorization, OAuth 2.0.
Why OAuth 2.0
Most online tools require you to create and remember a login and password. This creates an incredibly wide attack surface on your company’s data: on the one hand, different tools will have vastly differing security practices - and on the other hand, your users will have vastly differing security awareness. The bottom line is that you have large numbers of passwords, possibly weak and unsecure, stored in a possibly unsecure way on a large number of databases you can’t control or audit.
For this reason, we at Figures do not and will not store passwords in our databases. This is intended to give you a maximum of both security and control :
The technical aspects are assured by providers (Microsoft / Google) who are known to have best-in-class security practices.
The human aspect is under your control: only you can give access to your Figures data, first by creating an email on your domain, then having your Figures admin authorize access to this specific email.
Your data at Figures
By design, OAuth authentication flows only involve a minimum amount of data directly necessary for the purpose of identifying a user.
When you connect on Figures through Microsoft / Google, our servers receive the following fields. At the moment, not all those fields are stored in our database, the rest is discarded upon receipt:
Field | Stored | Comment |
Provider ID | ✅ | This is a random-looking string of characters that identifies the account in the provider’s database. |
Email address | ✅ |
|
First and last names | ✅ |
|
Profile picture | ✅ | This is the public picture of the profile, which can be seen for example when the user sends an email. |
Gender | ❌ |
|
Profile link | ❌ |
|
Preferred language | ❌ |
|
Job title | ❌ |
|
Phone numbers | ❌ | (Microsoft only) |
Italicized items are optional and only provided if they are present in the account.
Here is the documentation of the tools used in our OAuth 2.0 authentication flow :
How does "Sign-in with a login link" work?
If you use neither Microsoft nor Google within your company than you can request an individual Login Link via "Sign-in with a Login Link" to gain access to Figures.
Precondition to gaining access to Figures this way, as with any of the other login options, is that we have already registered your email address as a user credential in our backend.
To receive the Login Link, just click on "Sign-in with a Login Link" and enter your email address. You will receive an email with the respective Login Link (valid 24 hours) in your inbox. By clicking on it you will gain direct access to your Figures account.
But keep in mind, each Login Link can only be used once and so you have to re-generate it each time you want to access your Figures account.
Why isn't it possible to login using email and password?
We chose not to allow traditional email/password methods to sign-in for security measures, as it’s known to be one of the most vulnerable vectors of attack.