Security
Two-factor authentication (2FA)
Enable 2FA on your account:
Account → Security → Two-Factor Authentication → Enable
Supported methods:
- TOTP (Google Authenticator, Authy, 1Password, etc.)
- SMS (backup only — not recommended as primary)
Enforcing 2FA for all users
Account owners and admins can require 2FA for all team members:
Account → Security → Require 2FA for all users → Enable
Users without 2FA configured will be redirected to set it up on their next login.
Active sessions
View and revoke active sessions:
Account → Security → Active Sessions
Revoke individual sessions (e.g. a lost device) or click Sign out all devices to invalidate all sessions at once.
Login history
Account → Security → Login History shows the last 90 days of login events including IP address, device, and timestamp.
Password policy
- Minimum 12 characters
- Cannot reuse the last 5 passwords
- Forced rotation can be configured (Enterprise)
SSO (Enterprise)
Enterprise plans support SAML 2.0 SSO:
Account → Security → Single Sign-On
With SSO enabled:
- Users log in via your identity provider (Okta, Azure AD, Google Workspace)
- Password-based login is disabled for SSO users
- Provisioning/deprovisioning is handled by your IdP (SCIM optional)
Audit log
All significant account actions are logged:
Account → Security → Audit Log
Events include: logins, user invites/removals, policy publishes, API key creation/revocation, billing changes.
The audit log is retained for 2 years and is exported as CSV on request.
Signing keys
Consent receipt HMAC signing keys are managed at:
Account → Security → Signing Keys
See Audit Chain for how signing keys are used.