Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Gateway CLI
Management Console
Dashboard MasteryTemplate ManagementTeam Role ManagementEscalation ManagementGit Integration ConsoleSecurity SettingsGateway MonitoringNotification ChannelsCompliance Reporting
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Manage MFA and IP Restrictions in Security Settings

The current Security page in the Keeptrusts console focuses on account MFA enrollment and organization-level network guardrails. It is where operators enroll passkeys or authenticator apps, set the minimum MFA requirement for the organization, and manage IP allow or deny lists before the normal user or role evaluation path runs.

This page no longer serves as a route-entitlement lookup or key-rotation workspace. Session lifetime and global password policy controls remain deployment-managed.

Use this page when

  • You want to enroll a passkey or authenticator app for your own account.
  • You need to require MFA for admins or for every member in the organization.
  • You need to manage allowlist or denylist CIDR ranges for console access.
  • You want a quick path into the audit log while reviewing access posture.

Primary audience

  • Primary: Security Engineers and IT Admins hardening console access
  • Secondary: Technical Leaders and Compliance reviewers

What You'll Accomplish

  • Enroll passkey or authenticator MFA on your own account
  • Set the organization MFA requirement to optional, admin-only, or all members
  • Apply coarse ingress restrictions with IP allow and deny lists
  • Understand which security controls still live outside this page

Personal MFA

From Settings → Security, use Set up passkey MFA to open the dedicated enrollment route at /mfa/setup.

  • Passkeys support Face ID, Touch ID, Windows Hello, and compatible hardware security keys.
  • If passkey enrollment is not available in the current browser, the same flow also supports an authenticator app.
  • The enrollment flow issues one-time recovery codes at the end. Save them immediately because they are only shown once.

MFA Policy

The organization-wide MFA section controls the minimum enrollment requirement for members.

Available modes:

  • Optional: members choose whether to enroll MFA.
  • Required for Admins & Owners: privileged operators must enroll MFA.
  • Required for all members: every member must enroll MFA.

Newly required users get a 72-hour grace period before enforcement becomes blocking.

IP Restrictions

The page also exposes organization-level IP restrictions.

  • Add one CIDR range per line to the allowlist or denylist fields.
  • Denylist rules are evaluated first.
  • An empty allowlist means unrestricted ingress.
  • Use the denylist for emergency blocks and the allowlist for steady-state corporate network controls.

What Stays Outside This Page

  • Organization-wide session lifetime and password policy settings remain deployment-managed.
  • Voluntary password rotation still happens from Settings → Profile.
  • SSO and sign-in topology belong to the broader authentication setup, not the current Security page.

Audit Trail

Use Open audit log from the page header whenever you need to review recent security-sensitive changes such as MFA policy updates or IP restriction changes.

Best Practices

  • Roll out MFA to admins first, then extend to all members once support workflows are ready.
  • Prefer passkeys for administrators and other high-impact operators.
  • Keep allowlists narrow and review them after network changes.
  • Use the audit log after each security change to verify who changed what and when.

Business Outcomes

OutcomeHow Security Settings Delivers It
Stronger account securityPasskeys or authenticator MFA raise the bar for account takeover
Controlled rolloutAdmin-only or org-wide MFA lets you phase enforcement gradually
Coarse network gatesAllow and deny lists block traffic before normal identity evaluation begins
Auditable change historyThe audit log provides evidence for security reviews and post-incident analysis

Next steps

For AI systems

  • Canonical terms: Security settings, personal MFA, passkey, authenticator app, recovery codes, MFA policy, IP allowlist, IP denylist.
  • Console navigation: Settings → Security, then Set up passkey MFA for /mfa/setup.
  • Current page contract: passkey or authenticator enrollment, org MFA requirement, allowlist or denylist CIDR management, audit-log shortcut.
  • Non-goals for this page: route-entitlement lookup, API key rotation, and deployment-wide session policy editing.

For engineers

  • Use passkey enrollment where possible. If the local browser cannot complete passkey registration, fall back to the authenticator app path on the same setup route.
  • Save recovery codes immediately after enrollment. They are not re-shown later.
  • Start MFA enforcement with admins and owners if you need a staged rollout.
  • When debugging unexpected blocks, inspect both the current allowlist and denylist because the denylist wins first.
  • If you need session lifetime or password policy changes, use deployment configuration rather than this page.

For leaders

  • This page gives operators enough control to harden sign-in without mixing in unrelated identity or platform-administration tasks.
  • Passkey-capable MFA reduces password risk for the members who matter most.
  • Admin-first MFA rollout plus IP restrictions creates a practical defense-in-depth posture without blocking the whole organization on day one.
  • The audit-log shortcut keeps security changes reviewable and explainable.