Organization Security

Protect your organization's sensitive operations by requiring enhanced sign-in for members.

Require enhanced sign-in

We strongly recommend enabling this for any organization that has connected a live, business-critical domain. It ensures that members accessing your workspace have verified their identity with a passkey or other strong authentication method — not just a password.

Go to Organization → Security to find this setting. You can choose to enforce enhanced sign-in for:

  1. Only owners and admins — restricts the requirement to privileged roles. A good starting point if you want to roll out gradually.
  2. All members — applies to everyone in the organization. Recommended for teams with production domains.

Solo projects: If you're the only member of your organization, enabling enhanced security uses your personal passkey as an extra layer of defence — protecting your sites and domains even if your email and password are compromised.

For either option, you can set a Deadline — a date and time when the requirement will actually take effect. This gives members time to set up their passkey before enforcement kicks in.

Step-up authentication

Once enforcement is active, certain sensitive operations will trigger a step-up authentication prompt — even for users who are already signed in. Currently this applies to:

  • Removing a custom domain that is serving live traffic
  • Deleting a workspace that contains at least one site published to Production
  • Deleting a site that is associated with a live domain

Step-up authentication is only triggered when an action would directly impact your domain or site's operation or presentation. It's a last line of defence designed to protect you even if your email and password have been compromised, or if you leave your computer unattended while signed in.

A completed step-up is remembered for 5 minutes, so you won't be prompted more than once within that window.

Who needs to set up enhanced sign-in?

Members who haven't yet set up a passkey will be prompted to do so before they can access the workspace. See Account Security for setup instructions.