Configure team security
Control how your team signs in to the admin dashboard. Pick sign-in methods, require two-factor authentication, and review a tamper-evident log of every security-sensitive change.
The Security page controls team member sign-in (admins and members). For portal user sign-in (customers submitting feedback), see Portal Authentication.
Everything here lives under Admin → Settings → Security, which has a Team tab and a Portal tab. This page covers the Team tab plus the Audit log.
Team sign-in methods
On the Team tab, the Sign-in methods card controls how team members sign in.
| Method | Description |
|---|---|
| Password | Email and password. Can't be turned off while it's the only method, or while Require 2FA is on. |
| Magic link | A one-click link emailed to the user. See magic-link sign-in. |
| Require 2FA for team members | Forces a TOTP code on every password sign-in. |
| Email me when a new device signs in | Notifies the account owner on sign-in from an unrecognized browser or network. On by default. |
Single sign-on is configured separately on the SSO page.
Magic link is always used for team invitations and recovery-code sign-in, even when the magic-link toggle is off. The toggle only controls whether magic link appears on the sign-in form.
Two-factor authentication
Two-factor authentication (2FA) adds a 6-digit code from an authenticator app on top of a password. It has no effect on SSO sign-ins — SSO MFA is handled by your identity provider.
Enroll in 2FA
Each team member enrolls themselves from their account settings:
- Open Account settings and find Two-factor authentication.
- Click Set up authenticator and confirm your password.
- Scan the QR code with Google Authenticator, 1Password, Authy, or any TOTP app.
- Enter the 6-digit code to verify.
- Save the backup codes shown — each works once if you lose your authenticator.
To turn it off, click Disable two-factor and confirm your password.
Require 2FA for everyone
Turn on Require 2FA for team members on the Team tab to enforce it workspace-wide:
- Every admin and member must complete a TOTP challenge on each password sign-in.
- Magic-link sign-in is refused for anyone who has enrolled — they must use the password + TOTP flow.
- Members who haven't enrolled yet are sent to set up 2FA before they can continue.
Require 2FA needs Password sign-in enabled, because enrolling a TOTP authenticator requires confirming a password.
Reset a member's 2FA
If a team member loses their authenticator and their backup codes, an admin can clear their enrollment from Admin → Settings → Members — open the member's actions and choose Reset 2FA. The member re-enrolls on their next sign-in. The reset is recorded in the audit log.
Recovery codes
Recovery codes are break-glass passcodes for signing in when SSO is unavailable. They're generated and managed on the SSO page, not here.
Audit log
The audit log is an append-only record of security-sensitive admin actions. Find it at Admin → Settings → Audit log.
It captures:
- Authentication — sign-in success and failure, new-device sign-ins, rate-limited attempts, sign-in method toggles (password, magic link).
- SSO — connection changes, per-domain enforcement, recovery-code generation and use.
- Team — role changes (including those from SSO attribute mapping), 2FA admin resets, bulk session revocations.
- Portal access — visibility flips, allowed-domain edits, allowed-segment edits, widget sign-in toggle, and authenticated-but-unauthorized denials at the portal gate.
- Portal invites — sends, resends, accepts, revokes, link copies (
portal.invite.link_minted), and expirations from the daily sweep. - Boards — per-board access matrix changes (View / Vote / Comment / Submit tiers and segment allowlists).
- Moderation — workspace moderation default changes, plus approve, reject, and hold actions on individual posts and comments.
- Widget handshake — OTT exchanges that succeeded or were rejected. Grouped as Widget activity in the filter and hidden by default to keep noise down; turn it on when you're debugging a handoff issue.
Each entry records the actor, their IP, user agent, request id, actor type (user / service / api key / anonymous / system), and the auth method used (password, sso, magic_link, ott, api_key, session). Filter by actor, event type, or time range to investigate a specific change. Export the filtered view as CSV for forensics or compliance.
Review the audit log after any access change — a new admin, a removed member, an SSO reconfiguration, or a portal-access edit. It's the fastest way to confirm who did what.
Sign-in hardening
Quackback rate-limits password and magic-link sign-in attempts per IP and email address, and tracks devices so it can email the account owner the first time a new device signs in. The new-device email is on by default and can be turned off on the Team tab.
Next steps
- Set up single sign-on — connect your IdP and require SSO
- Portal Authentication — configure sign-in for customers
- Team Members — invite and manage your team