Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
Console OverviewPlans and StorageOverview DashboardAuthentication FlowsConfigurationsTemplates and Policy WorkflowsEventsHistory and SessionsEscalationsAgentsConnectorsKnowledge BaseKnowledge LifecycleExportsCost and SpendWalletsMy UsageGateways and ActionsGateway KeysNotificationsWebhooksAudit LogVersioned RolloutMembers, Teams, and RolesSecurity SettingsBilling and PlansSettings and Gateway Config
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Security Settings

The Security settings page focuses on authentication hardening for your own account and, if you are an administrator, the organization's MFA and IP restriction posture.

It is not the route-entitlement lookup surface. The current page centers on MFA enrollment, MFA policy, IP restrictions, and password-adjacent account protection.

Use this page when

  • You need to enable MFA or register a passkey on your Keeptrusts account.
  • You want to review or change the organization's MFA enforcement level.
  • You need to manage IP restrictions for console access.
  • You are setting up security controls for your team's Keeptrusts accounts before production use.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Multi-Factor Authentication (MFA)

Settings → Security allows users to enroll in MFA for additional account protection.

Setting up MFA

  1. Go to Settings → Security
  2. Click Enable MFA
  3. Scan the QR code with your authenticator app
  4. Enter the verification code to confirm

Once enabled, MFA is required at every login.

MFA recovery

If you lose access to your authenticator, use the recovery codes provided during setup. Store these codes securely — they cannot be retrieved later.

Passkeys

Passkeys provide passwordless authentication using hardware security keys or platform authenticators (Touch ID, Windows Hello, etc.).

Registering a passkey

  1. Go to Settings → Security
  2. Click Add Passkey
  3. Follow the browser prompt to register your security key or biometric

Using passkeys

Once registered, passkeys appear as a login option on the sign-in page. Select the passkey option and authenticate with your device.

Organization Protections

If you are an administrator, Settings → Security also lets you configure organization-level protections.

  • MFA Policy: choose whether MFA is optional, required for admins and owners, or required for all members.
  • IP Restrictions: maintain allowlist and denylist CIDR ranges for console access.
  • Audit Log Shortcut: jump directly into the audit log from the page header when you need to review recent changes.

Newly affected users receive a short grace period before newly required MFA becomes blocking.

Password Management

Use the dedicated Change Password screen when Keeptrusts pauses the rest of the workspace after an email-and-password sign-in that still uses a temporary password. That first-run flow asks for the temporary password once and requires a permanent replacement before you can continue into the console.

Google, SSO, and other non-password sign-ins do not show that forced temporary-password gate.

When you are already signed in and want to manage your password voluntarily, open Settings → Profile and use the password section there. Accounts that already have a password use the normal Change Password flow and must provide the current password for verification. SSO-first or other password-less accounts see Add Password instead, which lets the user create an initial password without a current-password field. In both cases, Keeptrusts revokes active sessions and returns the user to sign-in after the new password is saved.

Organization-wide session lifetime and global password policy controls remain deployment-managed rather than editable on this page.

For AI systems

  • Canonical terms: Keeptrusts, Security Settings, MFA, passkeys, authenticator app, recovery codes, IP restrictions, password rotation.
  • Console surfaces: Settings → Security, Settings → Profile, and the dedicated /change-password forced-rotation flow.
  • Features: MFA enrollment, passkey registration (Touch ID, Windows Hello, hardware keys), MFA policy, IP restrictions, password change, and forced password rotation after password-based temporary-password sign-in.
  • Best next pages: Members, Teams & Roles, Audit Log, Settings.

For engineers

  • MFA uses TOTP (time-based one-time password) — any standard authenticator app (Google Authenticator, 1Password, Authy) works.
  • Store recovery codes in a secure location immediately after MFA setup; they cannot be retrieved later.
  • Passkeys use the WebAuthn standard — registration requires a compatible browser and device (Touch ID, Windows Hello, or USB security key).
  • Admins can use the page to require MFA for privileged users first, then expand to every member.
  • IP restrictions accept CIDR ranges. Denylist rules are checked before the allowlist.

For leaders

  • Require MFA for all team members accessing production Keeptrusts environments to meet SOC 2 and enterprise security requirements.
  • Passkeys eliminate password-based attacks entirely — consider mandating them for admin-role users.
  • Admin MFA rollout plus IP restrictions gives you practical defense in depth without mixing security controls with unrelated access-governance workflows.
  • These settings affect account protection directly; pair them with team and role reviews during onboarding and quarterly access recertification.

Next steps