Security and Access
Protect individual accounts, enforce MFA for future members, and understand which workspace policy fields are active today.
Eigenn separates personal sign-in protection from workspace security policy. Settings → Account → Security manages your MFA devices. Settings → Security stores policy for the active workspace.
Personal MFA Devices
Open Settings → Account → Security to see enrolled factors and their enrollment dates.
Add an authenticator
- Select Add device.
- Select Continue.
- Scan the QR code with a TOTP authenticator.
- Use the manual setup key if scanning is unavailable.
- Enter the current six-digit code.
- Select Verify & enable.
The current add-device flow enrolls a TOTP authenticator app. It does not enroll a passkey, hardware security key, or trusted-browser device.
Remove an authenticator
Select Remove beside a factor. If the active workspace requires MFA for your membership and this is your last factor, removal is blocked. Add and verify a replacement factor first.
Keep at least two factors when uninterrupted access is important. The app does not display downloadable recovery codes in the current Account security page.
Workspace MFA Policy
Only a workspace owner can save Settings → Security.
Enable Require MFA for New Members to make MFA mandatory for memberships created at or after the policy activation time.
This policy is deliberately prospective:
- existing members are not forced into MFA by enabling it
- future members are redirected to MFA setup or verification before protected workspace pages
- disabling the policy stops the future-member requirement and clears its activation timestamp
- a future member subject to the policy cannot remove their last factor
The MFA verification marker is cleared on a fresh sign-in and logout. A required user must verify again before continuing to protected pages.
Applied and Saved Workspace Policies
The Security page presents four groups. Their current behavior is not identical.
| Setting | Current effect |
|---|---|
| Require MFA for New Members | Enforced for memberships created after activation |
| Session Timeout | Saved on the workspace; the current session layer does not read this value to expire inactive sessions |
| Enforce IP Whitelist and allowed addresses | Validated and saved; the list does not currently restrict sign-in or page access |
| Enable Audit Log | Saved; it does not turn a workspace audit-log viewer on or off in the current app |
| Audit Log Retention | Saved; does not currently control automatic log deletion |
| Data Retention | Saved; does not currently schedule customer-data removal |
| Anonymize Deleted Customers | Saved; current customer deletion paths do not use it as an anonymization switch |
Treat saved-only values as policy intent, not proof of enforcement. Do not cite them as an implemented compliance control until the relevant behavior is available and independently verified.
Configure the Enforced MFA Policy
- Sign in as a workspace owner.
- Open Settings → Security.
- In Access Control, enable Require MFA for New Members.
- Select Save.
- Invite a test member after activation.
- Confirm that the new member is redirected to MFA verification before a protected page.
- Confirm an existing member can still enter without being made subject to the prospective rule.
Changing the Session Timeout in the same card saves the selected 12-hour, 24-hour, 48-hour, or 7-day value, but it does not currently change session expiry behavior.
IP Restrictions
The form accepts one IPv4 address, full IPv6 address, or IPv4 CIDR range per line. Examples include 192.0.2.10 and 10.0.0.0/24.
The values are schema-validated and owner-only to save. They are not currently checked by the app request path. Keep network enforcement at your identity provider, VPN, reverse proxy, or other verified control until Eigenn enforcement is available.
Audit and Data-Retention Settings
The UI offers:
- audit log enabled or disabled
- 7, 30, 90, or 120 days of audit retention
- 30 days, 90 days, one year, or indefinite customer-data retention
- anonymization of deleted customers
These values persist on the workspace but are not evidence that logs are being generated, purged, or that customer deletion is being transformed. Use the exported records and controls your organization has verified, and involve legal or security owners for retention policy.
SSO and Organizations
Organization setup is separate from the Security page. Open Settings → Account → Organizations to create or inspect an organization and use its administration link when available.
If domain-based sign-in says no team exists, an owner must create and configure the identity organization first. See Teams and Organizations for the supported organization workflow.
Account and Workspace Deletion
Delete your account
Settings → Account → General → Delete account permanently removes your user. Sole-owned workspaces are identified before deletion so external cleanup can be queued for them. Membership in workspaces you do not solely own is removed with the account.
The current primary Account deletion dialog asks for confirmation but does not require re-entering the email or a fresh MFA challenge.
Delete a workspace
Settings → General → Delete team is owner-only and permanently removes the active workspace. External-resource cleanup is queued after the database deletion. Treat the action as irreversible even though external cleanup can finish asynchronously.
Access Recovery
- Use the same Google, Apple, GitHub, email, or SSO identity method used for the account.
- When a required user has no enrolled factor, the verification flow redirects to authenticator setup.
- If a factor is lost but another factor remains, verify with the remaining authenticator, then add a replacement.
- If all factors are unavailable, use the public Contact page. The app has no self-service recovery-code screen or separate password-reset page.
- If SSO fails because the domain is unconfigured, contact an organization owner rather than creating a second personal identity.
Never send an MFA secret, QR code, six-digit code, session cookie, or API credential to support.
Troubleshooting
A security policy save is rejected
Only an owner can update workspace Security. Confirm your role and active workspace.
IP restrictions are enabled but access still works elsewhere
That is current behavior: the setting is saved but does not restrict sign-in or page access. Apply a verified network control outside Eigenn.
A new member is not prompted for MFA
Confirm the policy was enabled before that membership was created. The rule is not retroactive. Disable and re-enable does not make an existing membership new.
I cannot remove my last factor
Your membership is subject to the workspace's future-member MFA policy. Add another authenticator, verify it, and then remove the old factor.
I changed Session Timeout but remained signed in
The value is currently saved without session-expiry enforcement. Sign out manually when leaving a shared or untrusted device.