Configure team security
Control how your team signs in to the admin dashboard. Pick sign-in methods, require two-factor authentication, and review a tamper-evident log of every security-sensitive change.
The Security page controls team member sign-in (admins and members). For portal user sign-in (customers submitting feedback), see Portal Authentication.
Everything here lives under Admin → Settings → Security, which has a Team tab and a Portal tab. This page covers the Team tab plus the Audit log.
Team sign-in methods
On the Team tab, the Sign-in methods card controls how team members sign in.
| Method | Description |
|---|---|
| Password | Email and password. Can't be turned off while it's the only method, or while Require 2FA is on. |
| Magic link | A one-click link emailed to the user. See magic-link sign-in. |
| Require 2FA for team members | Forces a TOTP code on every password sign-in. |
| Email me when a new device signs in | Notifies the account owner on sign-in from an unrecognized browser or network. On by default. |
Single sign-on is configured separately on the SSO page.
Magic link is always used for team invitations and recovery-code sign-in, even when the magic-link toggle is off. The toggle only controls whether magic link appears on the sign-in form.
Two-factor authentication
Two-factor authentication (2FA) adds a 6-digit code from an authenticator app on top of a password. It has no effect on SSO sign-ins — SSO MFA is handled by your identity provider.
Enroll in 2FA
Each team member enrolls themselves from their account settings:
- Open Account settings and find Two-factor authentication.
- Click Set up authenticator and confirm your password.
- Scan the QR code with Google Authenticator, 1Password, Authy, or any TOTP app.
- Enter the 6-digit code to verify.
- Save the backup codes shown — each works once if you lose your authenticator.
To turn it off, click Disable two-factor and confirm your password.
Require 2FA for everyone
Turn on Require 2FA for team members on the Team tab to enforce it workspace-wide:
- Every admin and member must complete a TOTP challenge on each password sign-in.
- Magic-link sign-in is refused for anyone who has enrolled — they must use the password + TOTP flow.
- Members who haven't enrolled yet are sent to set up 2FA before they can continue.
Require 2FA needs Password sign-in enabled, because enrolling a TOTP authenticator requires confirming a password.
Reset a member's 2FA
If a team member loses their authenticator and their backup codes, an admin can clear their enrollment from Admin → Settings → Members — open the member's actions and choose Reset 2FA. The member re-enrolls on their next sign-in. The reset is recorded in the audit log.
Recovery codes
Recovery codes are break-glass passcodes for signing in when SSO is unavailable. They're generated and managed on the SSO page, not here.
Audit log
The audit log is an append-only record of security-sensitive admin actions. Find it at Admin → Settings → Audit log.
It captures:
- SSO connection changes and per-domain enforcement toggles
- Sign-in method changes (password, magic link)
- 2FA admin resets
- Recovery-code generation and use
- Bulk session revocations
- Role changes, including those from SSO attribute mapping
- Sign-ins, new-device sign-ins, and rate-limited attempts
Each entry records the actor, their IP and user agent, the event type and outcome, and before/after values. Filter by actor and time range to investigate a specific change.
Review the audit log after any access change — a new admin, a removed member, or an SSO reconfiguration. It's the fastest way to confirm who did what.
Sign-in hardening
Quackback rate-limits password and magic-link sign-in attempts per IP and email address, and tracks devices so it can email the account owner the first time a new device signs in. The new-device email is on by default and can be turned off on the Team tab.
Next steps
- Set up single sign-on — connect your IdP and require SSO
- Portal Authentication — configure sign-in for customers
- Team Members — invite and manage your team