Organization Security Settings
Configure security policies for your entire organization, including mandatory two-factor authentication for all users.
Quick Summary
Go to Settings gear → Organization Security to enforce 2FA for all users in your organization.
Before You Begin
- You must be an Organization Owner or Admin
- Organization security settings affect all users in your organization
What is Organization Security?
Organization Security allows administrators to enforce security policies across all users. The main feature is Mandatory Two-Factor Authentication (2FA), which requires every user to verify their identity with an email code when signing in.
Organization vs Personal Security
| Setting Type | Who Manages | Scope |
|---|---|---|
| Organization Security | Owners, Admins | All users in the organization |
| Personal Security | Each user | Individual account only |
Step-by-Step Guide
Step 1: Open Organization Security
- Click the Settings gear () at the bottom of the sidebar
- Select Organization Security
Looking for your personal 2FA settings? Go to your Profile → Account Security tab instead.
Step 2: Review Current Settings
You'll see the current security configuration:
| Setting | Description |
|---|---|
| Require Two-Factor Authentication | Toggle to enforce 2FA for all users |
| Status indicator | Shows when the setting was enabled/disabled and by whom |
| Change History | Audit trail of all security setting changes |
Step 3: Enable Mandatory 2FA
To require all users to use two-factor authentication:
- Locate the Require Two-Factor Authentication toggle
- Click the toggle to turn it ON (green)
- Review the confirmation message
- Click Enable for All Users
When enabled:
- All users must use 2FA to sign in
- Users cannot disable 2FA on their accounts
- An announcement email is sent to all active users
Step 4: Disable Mandatory 2FA (Optional)
If you need to make 2FA optional:
- Click the toggle to turn it OFF
- Review the confirmation message
- Click Make 2FA Optional
When disabled:
- Users can choose whether to enable 2FA
- Users who already have 2FA enabled keep it unless they manually disable it
- No automatic changes are made to user accounts
Understanding the Confirmation
Enabling 2FA
When you enable mandatory 2FA, you'll see this confirmation:
Enable Mandatory 2FA?
This will require all users in your organization to use two-factor authentication. Users will not be able to disable 2FA on their accounts.
An announcement email will be sent to all active users.
Disabling 2FA
When you disable mandatory 2FA:
Disable Mandatory 2FA?
This will allow users to choose whether to enable 2FA on their accounts. Users who currently have 2FA enabled will keep it enabled unless they manually disable it.
Change History
Every change to organization security settings is recorded in the audit trail.
Viewing Change History
- Scroll down to Change History
- Click to expand the history section
- View all past changes
What's Recorded
| Information | Description |
|---|---|
| Action | Enabled or Disabled |
| Performed by | Email of the admin who made the change |
| Date/Time | When the change was made |
Real-World Examples
Example 1: Enforce 2FA for Security Compliance
Situation: Your organization needs to comply with ISO 27001 security standards, which require multi-factor authentication.
Solution:
- Go to Settings gear → Organization Security
- Turn on Require Two-Factor Authentication
- Click Enable for All Users
- Users receive email notification about the new requirement
Result: All users must now verify their identity with an email code when signing in, meeting your compliance requirements.
Example 2: Temporary Disable for Technical Issue
Situation: Users are reporting issues receiving 2FA emails during a temporary email server problem.
Solution:
- Go to Settings gear → Organization Security
- Turn off Require Two-Factor Authentication
- Click Make 2FA Optional
- After the email issue is resolved, re-enable mandatory 2FA
Result: Users can sign in without 2FA during the email outage. The change is logged in the audit trail for documentation.
Example 3: Review Security Changes After Incident
Situation: You need to verify who changed security settings last month for a security audit.
Solution:
- Go to Settings gear → Organization Security
- Expand Change History
- Review all changes with dates and the email of who made each change
- Export this information for your audit documentation
Result: You have a complete audit trail showing all security setting changes, who made them, and when.
How 2FA Works
When mandatory 2FA is enabled:
Sign-In Process
1. User enters email and password
↓
2. System sends 6-digit code to user's email
↓
3. User enters the code within 10 minutes
↓
4. User is signed in successfully
Code Details
| Detail | Value |
|---|---|
| Code length | 6 digits |
| Valid for | 10 minutes |
| Delivery method | |
| Attempts allowed | Multiple (new code can be requested) |
Trusted Devices
When 2FA is enabled, users can trust devices to skip verification on future logins.
How It Works
- After entering a valid 2FA code, users see the option to Trust this device
- If selected, the device is remembered
- Future logins from that device don't require 2FA codes
Managing Trusted Devices
Users can manage their trusted devices from their Profile → Account Security tab:
- View all trusted devices
- Remove devices they no longer use
- Revoke trust from lost or stolen devices
Troubleshooting
Toggle is Disabled
| Issue | Cause | Solution |
|---|---|---|
| Toggle grayed out | Insufficient permissions | Only Owners and Admins can change this |
| "Subscription disabled" | Subscription issue | Resolve billing/subscription status |
Users Not Receiving 2FA Emails
| Issue | Cause | Solution |
|---|---|---|
| No email received | Spam filter | Check spam/junk folder |
| Email delayed | Server load | Wait a few minutes, request new code |
| Wrong email | Typo in registration | Contact admin to correct email |
Can't Access Organization Security
| Issue | Cause | Solution |
|---|---|---|
| Page not found | Wrong navigation | Use Settings gear, not sidebar |
| "No permission" | Not an admin | Contact organization owner |
| See blurred page | Insufficient access | You need Admin role |
Best Practices
Security Recommendations
| Practice | Reason |
|---|---|
| Enable mandatory 2FA | Protects against password breaches |
| Review change history regularly | Detect unauthorized changes |
| Communicate before enabling | Give users time to prepare |
| Test with small group first | Identify issues before org-wide rollout |
Before Enabling 2FA
- Notify your team - Send advance notice about the upcoming change
- Check email deliverability - Ensure all users can receive emails from Infodeck
- Prepare support resources - Have help documentation ready for users
- Consider timing - Avoid enabling during peak work hours
Related Articles
Need help? Contact Infodeck Support