Security Settings
AdministratorsSettings & Configuration
Configure 2FA, session management, and passkeys.
Accessing Security Settings
- Go to Settings → Security
- Configure organization-wide security
Two-Factor Authentication (2FA)
Organization Setting
| Option | Description |
|---|---|
| Optional | Users can enable if they want |
| Required | All users must enable 2FA |
| Required for Admins | Only Admin+ must enable |
2FA Methods
-
Authenticator App (Recommended)
- Google Authenticator
- Authy
- Microsoft Authenticator
-
Email Code
- Code sent to email
- Fallback option
-
Passkeys (Most secure)
- Face ID, Touch ID, Windows Hello
- Hardware security keys
Passkeys (WebAuthn)
What Are Passkeys?
Passwordless sign-in using:
- Face ID (iPhone, Mac)
- Touch ID (Mac)
- Windows Hello
- Security keys (YubiKey)
Enabling Passkeys
Admins can:
- Go to Security Settings
- Toggle Allow Passkeys
- Users can then add passkeys in their profile
User Setup
- Go to Profile → Security
- Click Add Passkey
- Follow device prompts
- Name the passkey
- Done — can sign in with biometric
Session Management
Session Timeout
How long before inactive users are logged out:
| Setting | Recommended |
|---|---|
| Web sessions | 8-24 hours |
| Mobile sessions | 30 days |
Active Sessions
Users can view and revoke sessions:
- Profile → Security → Active Sessions
- See all logged-in devices
- Click Revoke to force logout
Password Requirements
Configure password policy:
| Setting | Options |
|---|---|
| Minimum length | 8-16 characters |
| Require uppercase | Yes/No |
| Require numbers | Yes/No |
| Require symbols | Yes/No |
| Expiration | Never, 30, 60, 90 days |
Account Lockout
Prevent brute force attacks:
| Setting | Recommended |
|---|---|
| Failed attempts before lock | 5 |
| Lockout duration | 30 minutes |
| Reset after | 30 minutes |
Admin Actions
Force Password Reset
Make specific user reset password:
- Go to Team → Select user
- Click Force Password Reset
- User must reset on next login
Force Logout
Sign out user from all devices:
- Go to Team → Select user
- Click Revoke All Sessions
- User logged out everywhere
Audit Logging
Security events are logged:
- Login attempts (success/fail)
- Password changes
- 2FA changes
- Passkey additions
- Session revocations
View at Settings → Audit Logs.
Tips
- Require 2FA for admins — Minimum security
- Use passkeys — Most secure option
- Review audit logs — Catch suspicious activity
- Set reasonable timeouts — Balance security and usability
Related Articles
Was this article helpful?