2FA & SSO.

TOTP for everyone. SAML and OIDC for enterprise.

TOTP is on by default for owners and admins on the Core plan. Optional for the rest of the org. SAML and OIDC SSO are available on Enterprise. Just-in-time provisioning supported.

Account recovery

Recovery codes are generated on TOTP enrollment. We do not offer email-link account recovery for accounts with TOTP enabled; if you lose both, an admin must re-enroll you.

Session policy

Sessions expire after 14 days of inactivity. Owners can shorten this per workspace. Re-auth is required for billing and key-management actions regardless of session age.