Identity-based access only. Sessions expire after 8 hours.
Sessions are stored in the database. Sign-ins are recorded in the audit log.