Security Policies

Overview

The Admin > Security page has five toggles that control how users log in and authenticate. Each toggle applies to every user in your tenant.

Portal auto-login

When enabled, users who visit the app portal can sign in automatically without re-entering credentials. Turn this off if you want users to authenticate every time they access the archive.

Email login codes

Controls whether users can log in with a one-time code sent to their email address instead of a password. This is sometimes called "magic link" or "passwordless" login.

Require SSO login

Forces all users to authenticate through your configured OIDC provider. This toggle can only be turned on if an OIDC provider is already set up under Admin > SSO, and it can only be enabled by an admin who logged in via SSO themselves.

If you turn this on without an OIDC provider configured, users (including you) could lose access, so the app prevents it.

Require TOTP setup

When enabled, every user must set up two-factor authentication (TOTP) with an authenticator app before they can use the archive. Users who have not configured TOTP yet will be prompted at their next login. Administrators are not exempt.

If you only want TOTP to be optional, leave this off. Users can still enable it voluntarily from their account settings.

Password reset

Controls whether users can reset their own password by requesting a 6-digit code via email. If you use SSO exclusively, you may want to turn this off.