Security settings

Security settings let you tune the default posture of the tenant. Most of the heavy lifting still happens at the Safe level, but the organisation-wide defaults are where you make the first decision.

What you can configure

• Password policy - delegated to Keycloak as a platform setting.
• Session recording defaults - whether new Safes should record by default.
• Clipboard policy defaults - whether copy and paste is allowed, blocked, or audited.
• MFA enforcement - whether users must enrol and use MFA.
• IP allowlists - restrict where privileged access can originate from.

MFA enforcement

MFA enforcement is a tenant-wide setting that requires all users to complete MFA before accessing any Safe or launching any session.

To enable MFA enforcement, go to Organisation settings > Security > MFA enforcement and toggle it on. All users without an enrolled MFA method will be prompted to enrol on their next login.

Disabling MFA enforcement removes a critical compliance control

Disabling organisation-wide MFA enforcement violates:

• SOC 2 CC6.1 -- Logical and physical access controls
• SOC 2 CC6.6 -- Restriction of access

Only disable if your organisation uses an external IdP with MFA enforced at the IdP level, AND you have documented compensating controls. This change is logged to the audit trail.

Upcoming Trusted Device support

Trusted Device (AIC-2535) is not part of this release. Treat it as a future security capability rather than a current control.

Related articles

• What is a Policy?
• What is MFA?
• Security and Compliance
• NIS2 and GDPR compliance