Skip to main content
Documentation/Security Settings

Security Settings

Configure workspace security, MFA, sessions, and access controls

Overview

IdeaLift provides a comprehensive set of security controls to protect your workspace and data. From multi-factor authentication to IP restrictions, you can configure the level of security that matches your organization's requirements.

All security settings are managed from Dashboard → Settings → Security. Only Admins and Owners can modify security settings.

Feature Availability by Plan

FeatureStarterProGrowthScaleEnterprise
Password policy
MFA (multi-factor auth)
SSO enforcement
Session timeout config
IP allowlisting
API key management
Audit logs

Multi-Factor Authentication (MFA)

MFA adds a second layer of verification beyond a password, significantly reducing the risk of unauthorized access even if credentials are compromised.

Supported MFA methods

Authenticator app (TOTP)

Use any TOTP-compatible app such as Google Authenticator, Authy, 1Password, or Microsoft Authenticator. Generates a 6-digit code that rotates every 30 seconds.

Email verification code

A one-time code is sent to the user's registered email address. Useful as a fallback method if the authenticator app is unavailable.

Enabling MFA for your workspace

  1. Go to Dashboard → Settings → Security
  2. Find the "Multi-Factor Authentication" section
  3. Choose a policy: Optional (users can opt in) or Required (enforced for all members)
  4. Click "Save"

Recommendation: Set MFA to "Required" for workspaces that handle sensitive product data or customer feedback. When required, users must enroll in MFA on their next login. A 7-day grace period allows users to set up their authenticator app.

MFA with SSO

If your workspace uses SSO, MFA is typically enforced by your identity provider (Okta, Azure AD, etc.). In this case, IdeaLift's built-in MFA is not needed for SSO users. You can still enable it for users who log in with email/password.

Session Management

Control how long user sessions remain active and what happens when they expire.

Session timeout

Set the maximum duration of an active session. After this period, users are automatically logged out and must re-authenticate.

8 hours
Strict
24 hours
Recommended
7 days
Default
30 days
Relaxed

Idle timeout

Separate from session timeout, idle timeout logs users out after a period of inactivity. Available on Scale and Enterprise plans. Options range from 15 minutes to 4 hours.

Force logout

Admins can immediately invalidate all active sessions for a specific user or the entire workspace. This is useful when revoking access for a departed team member or responding to a security incident.

IP Allowlisting

Restrict workspace access to specific IP addresses or CIDR ranges. Only requests from allowlisted IPs can access your workspace. Available on Scale and Enterprise plans.

Setting up IP allowlisting

  1. Go to Dashboard → Settings → Security
  2. Scroll to "IP Allowlist"
  3. Add IP addresses or CIDR ranges (e.g., 203.0.113.0/24)
  4. Add a description for each entry (e.g., "Office VPN", "AWS NAT Gateway")
  5. Click "Save"

Warning: Enabling IP allowlisting will immediately block access from any IP not on the list, including your current session if your IP is not included. Always add your own IP address first. If you lock yourself out, contact [email protected] for emergency access.

What is blocked

  • • Dashboard and web app access
  • • API requests (unless using an API key with IP bypass enabled)
  • • SSO login attempts from non-allowlisted IPs

What is not blocked

  • • Incoming webhook events (Slack, Discord, Teams, GitHub, etc.)
  • • Bot integrations that post to your workspace
  • • SCIM provisioning from your identity provider

Password Policy

Configure password requirements for team members who log in with email and password. These policies do not apply to SSO or OAuth users.

Default requirements

  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

Configurable options (Growth+)

  • Minimum length — Set from 8 to 128 characters
  • Password expiry — Require password changes every 30, 60, 90, or 180 days
  • Password history — Prevent reuse of the last 3, 5, or 10 passwords
  • Breach detection — Check new passwords against known breach databases (powered by Auth0)

API Key Management

API keys allow programmatic access to your workspace data. Manage keys securely to protect your workspace.

Creating an API key

  1. Go to Dashboard → Settings → API Keys
  2. Click "Create API Key"
  3. Give the key a descriptive name (e.g., "CI/CD Pipeline", "Zapier Integration")
  4. Select the scope: Read Only or Read/Write
  5. Optionally set an expiration date
  6. Copy the generated key immediately — it is only shown once

Security best practice: Treat API keys like passwords. Never commit them to source code, share them in chat, or include them in client-side code. Use environment variables or secret management tools to store API keys.

Key management

  • View active keys — See all keys with their name, scope, creation date, and last used date
  • Revoke a key — Immediately invalidate a key. Any request using the revoked key will receive a 401 error
  • Rotate a key — Generate a new key and revoke the old one in a single step
  • Audit trail — All API key usage is recorded in audit logs (Scale+)

Rate limits

API keys are subject to plan-based rate limits. See the API documentation for details on rate limits by plan.

Security Best Practices

Enable MFA for all workspace members

Set MFA policy to "Required" on Growth plan and above. If using SSO, enforce MFA at the identity provider level for consistent coverage across all applications.

Review team access regularly

Audit your workspace members quarterly. Remove users who have left the organization or no longer need access. Use SCIM to automate this on Enterprise plans.

Rotate API keys periodically

Set expiration dates on API keys and rotate them at least every 90 days. Review the "last used" date to identify stale keys that can be revoked.

Use IP allowlisting for sensitive workspaces

If your team works from known office IPs or VPNs, enable IP allowlisting to prevent access from unauthorized networks. Remember to add your VPN's egress IPs.

Monitor audit logs for anomalies

Regularly check audit logs for unusual activity: logins from unexpected locations, bulk data exports, or repeated failed authentication attempts.

Related Documentation

SSO Setup

Configure SAML or OAuth single sign-on

Audit Logs

Track workspace events and user activity

SCIM Provisioning

Automate user provisioning with SCIM 2.0

Data Retention

Configure data lifecycle and retention policies

Need Help?

Questions about security configuration or compliance?

Open Security SettingsEmail Support