Security, MFA, and sessions
Use Authentication > Security to control the risk level of account access. This page covers MFA, session duration, bot prevention, step-up authentication, and privileged sessions.
Start with session policy
Review:
- how long a normal session lasts
- when idle sessions expire
- whether remember-me behavior is allowed
- whether admins need shorter session duration
- whether session changes should force reauthentication
Shorter sessions reduce risk but can frustrate users. Longer sessions improve convenience but require stronger safeguards.
Enable MFA intentionally
MFA is useful when:
- users have access to sensitive data
- admins can change billing, security, or identity settings
- enterprise customers require stronger assurance
- account takeover risk is high
Before enforcing MFA:
- Confirm the recovery path works.
- Test enrollment with a small group.
- Communicate the change before enforcement.
- Keep a support process for lost factors.
Bot prevention
Bot prevention can include CAPTCHA, disposable email blocking, and sign-up or login rate limits.
Use it when:
- public sign-up is enabled
- trial abuse is likely
- password guessing attempts appear in logs
- provider login is exposed to a broad audience
Do not enable controls that block legitimate users without a recovery plan.
Step-up authentication
Step-up asks a user to re-authenticate before sensitive operations. Use it for actions such as:
- changing password or email
- adding MFA
- viewing or rotating keys
- changing organization owner roles
- changing SSO settings
Privileged sessions
Privileged sessions are useful when admins perform high-risk actions. Keep the window short and require fresh authentication.
Launch checklist
- baseline sign-in method works
- email verification and recovery work
- MFA policy is clear
- session duration matches risk level
- bot prevention has been tested
- step-up protects sensitive operations
- support knows how to handle locked-out users
Related pages: