Skip to content

Configure team security

Control how your team signs in to the admin dashboard. Pick sign-in methods, require two-factor authentication, and review a tamper-evident log of every security-sensitive change.

The Security page controls team member sign-in (admins and members). For portal user sign-in (customers submitting feedback), see Portal Authentication.

Everything here lives under Admin → Settings → Security, which has a Team tab and a Portal tab. This page covers the Team tab plus the Audit log.

Team sign-in methods

On the Team tab, the Sign-in methods card controls how team members sign in.

MethodDescription
PasswordEmail and password. Can't be turned off while it's the only method, or while Require 2FA is on.
Magic linkA one-click link emailed to the user. See magic-link sign-in.
Require 2FA for team membersForces a TOTP code on every password sign-in.
Email me when a new device signs inNotifies the account owner on sign-in from an unrecognized browser or network. On by default.

Single sign-on is configured separately on the SSO page.

Magic link is always used for team invitations and recovery-code sign-in, even when the magic-link toggle is off. The toggle only controls whether magic link appears on the sign-in form.

Two-factor authentication

Two-factor authentication (2FA) adds a 6-digit code from an authenticator app on top of a password. It has no effect on SSO sign-ins — SSO MFA is handled by your identity provider.

Enroll in 2FA

Each team member enrolls themselves from their account settings:

  1. Open Account settings and find Two-factor authentication.
  2. Click Set up authenticator and confirm your password.
  3. Scan the QR code with Google Authenticator, 1Password, Authy, or any TOTP app.
  4. Enter the 6-digit code to verify.
  5. Save the backup codes shown — each works once if you lose your authenticator.

To turn it off, click Disable two-factor and confirm your password.

Require 2FA for everyone

Turn on Require 2FA for team members on the Team tab to enforce it workspace-wide:

  • Every admin and member must complete a TOTP challenge on each password sign-in.
  • Magic-link sign-in is refused for anyone who has enrolled — they must use the password + TOTP flow.
  • Members who haven't enrolled yet are sent to set up 2FA before they can continue.

Require 2FA needs Password sign-in enabled, because enrolling a TOTP authenticator requires confirming a password.

Reset a member's 2FA

If a team member loses their authenticator and their backup codes, an admin can clear their enrollment from Admin → Settings → Members — open the member's actions and choose Reset 2FA. The member re-enrolls on their next sign-in. The reset is recorded in the audit log.

Recovery codes

Recovery codes are break-glass passcodes for signing in when SSO is unavailable. They're generated and managed on the SSO page, not here.

Audit log

The audit log is an append-only record of security-sensitive admin actions. Find it at Admin → Settings → Audit log.

It captures:

  • Authentication — sign-in success and failure, new-device sign-ins, rate-limited attempts, sign-in method toggles (password, magic link).
  • SSO — connection changes, per-domain enforcement, recovery-code generation and use.
  • Team — role changes (including those from SSO attribute mapping), 2FA admin resets, bulk session revocations.
  • Portal access — visibility flips, allowed-domain edits, allowed-segment edits, widget sign-in toggle, and authenticated-but-unauthorized denials at the portal gate.
  • Portal invites — sends, resends, accepts, revokes, link copies (portal.invite.link_minted), and expirations from the daily sweep.
  • Boards — per-board access matrix changes (View / Vote / Comment / Submit tiers and segment allowlists).
  • Moderation — workspace moderation default changes, plus approve, reject, and hold actions on individual posts and comments.
  • Widget handshake — OTT exchanges that succeeded or were rejected. Grouped as Widget activity in the filter and hidden by default to keep noise down; turn it on when you're debugging a handoff issue.

Each entry records the actor, their IP, user agent, request id, actor type (user / service / api key / anonymous / system), and the auth method used (password, sso, magic_link, ott, api_key, session). Filter by actor, event type, or time range to investigate a specific change. Export the filtered view as CSV for forensics or compliance.

Review the audit log after any access change — a new admin, a removed member, an SSO reconfiguration, or a portal-access edit. It's the fastest way to confirm who did what.

Sign-in hardening

Quackback rate-limits password and magic-link sign-in attempts per IP and email address, and tracks devices so it can email the account owner the first time a new device signs in. The new-device email is on by default and can be turned off on the Team tab.

Next steps