EIGENN.
docsguidesapichangelogpricingsign in
EIGENN.

Security and Access

Protect individual accounts, enforce MFA for future members, and understand which workspace policy fields are active today.

Eigenn separates personal sign-in protection from workspace security policy. Settings → Account → Security manages your MFA devices. Settings → Security stores policy for the active workspace.

Personal MFA Devices

Open Settings → Account → Security to see enrolled factors and their enrollment dates.

Add an authenticator

  1. Select Add device.
  2. Select Continue.
  3. Scan the QR code with a TOTP authenticator.
  4. Use the manual setup key if scanning is unavailable.
  5. Enter the current six-digit code.
  6. Select Verify & enable.

The current add-device flow enrolls a TOTP authenticator app. It does not enroll a passkey, hardware security key, or trusted-browser device.

Remove an authenticator

Select Remove beside a factor. If the active workspace requires MFA for your membership and this is your last factor, removal is blocked. Add and verify a replacement factor first.

Keep at least two factors when uninterrupted access is important. The app does not display downloadable recovery codes in the current Account security page.

Workspace MFA Policy

Only a workspace owner can save Settings → Security.

Enable Require MFA for New Members to make MFA mandatory for memberships created at or after the policy activation time.

This policy is deliberately prospective:

  • existing members are not forced into MFA by enabling it
  • future members are redirected to MFA setup or verification before protected workspace pages
  • disabling the policy stops the future-member requirement and clears its activation timestamp
  • a future member subject to the policy cannot remove their last factor

The MFA verification marker is cleared on a fresh sign-in and logout. A required user must verify again before continuing to protected pages.

Applied and Saved Workspace Policies

The Security page presents four groups. Their current behavior is not identical.

SettingCurrent effect
Require MFA for New MembersEnforced for memberships created after activation
Session TimeoutSaved on the workspace; the current session layer does not read this value to expire inactive sessions
Enforce IP Whitelist and allowed addressesValidated and saved; the list does not currently restrict sign-in or page access
Enable Audit LogSaved; it does not turn a workspace audit-log viewer on or off in the current app
Audit Log RetentionSaved; does not currently control automatic log deletion
Data RetentionSaved; does not currently schedule customer-data removal
Anonymize Deleted CustomersSaved; current customer deletion paths do not use it as an anonymization switch

Treat saved-only values as policy intent, not proof of enforcement. Do not cite them as an implemented compliance control until the relevant behavior is available and independently verified.

Configure the Enforced MFA Policy

  1. Sign in as a workspace owner.
  2. Open Settings → Security.
  3. In Access Control, enable Require MFA for New Members.
  4. Select Save.
  5. Invite a test member after activation.
  6. Confirm that the new member is redirected to MFA verification before a protected page.
  7. Confirm an existing member can still enter without being made subject to the prospective rule.

Changing the Session Timeout in the same card saves the selected 12-hour, 24-hour, 48-hour, or 7-day value, but it does not currently change session expiry behavior.

IP Restrictions

The form accepts one IPv4 address, full IPv6 address, or IPv4 CIDR range per line. Examples include 192.0.2.10 and 10.0.0.0/24.

The values are schema-validated and owner-only to save. They are not currently checked by the app request path. Keep network enforcement at your identity provider, VPN, reverse proxy, or other verified control until Eigenn enforcement is available.

Audit and Data-Retention Settings

The UI offers:

  • audit log enabled or disabled
  • 7, 30, 90, or 120 days of audit retention
  • 30 days, 90 days, one year, or indefinite customer-data retention
  • anonymization of deleted customers

These values persist on the workspace but are not evidence that logs are being generated, purged, or that customer deletion is being transformed. Use the exported records and controls your organization has verified, and involve legal or security owners for retention policy.

SSO and Organizations

Organization setup is separate from the Security page. Open Settings → Account → Organizations to create or inspect an organization and use its administration link when available.

If domain-based sign-in says no team exists, an owner must create and configure the identity organization first. See Teams and Organizations for the supported organization workflow.

Account and Workspace Deletion

Delete your account

Settings → Account → General → Delete account permanently removes your user. Sole-owned workspaces are identified before deletion so external cleanup can be queued for them. Membership in workspaces you do not solely own is removed with the account.

The current primary Account deletion dialog asks for confirmation but does not require re-entering the email or a fresh MFA challenge.

Delete a workspace

Settings → General → Delete team is owner-only and permanently removes the active workspace. External-resource cleanup is queued after the database deletion. Treat the action as irreversible even though external cleanup can finish asynchronously.

Access Recovery

  • Use the same Google, Apple, GitHub, email, or SSO identity method used for the account.
  • When a required user has no enrolled factor, the verification flow redirects to authenticator setup.
  • If a factor is lost but another factor remains, verify with the remaining authenticator, then add a replacement.
  • If all factors are unavailable, use the public Contact page. The app has no self-service recovery-code screen or separate password-reset page.
  • If SSO fails because the domain is unconfigured, contact an organization owner rather than creating a second personal identity.

Never send an MFA secret, QR code, six-digit code, session cookie, or API credential to support.

Troubleshooting

A security policy save is rejected

Only an owner can update workspace Security. Confirm your role and active workspace.

IP restrictions are enabled but access still works elsewhere

That is current behavior: the setting is saved but does not restrict sign-in or page access. Apply a verified network control outside Eigenn.

A new member is not prompted for MFA

Confirm the policy was enabled before that membership was created. The rule is not retroactive. Disable and re-enable does not make an existing membership new.

I cannot remove my last factor

Your membership is subject to the workspace's future-member MFA policy. Add another authenticator, verify it, and then remove the old factor.

I changed Session Timeout but remained signed in

The value is currently saved without session-expiry enforcement. Sign out manually when leaving a shared or untrusted device.

Related Pages

  • Manage Security and Billing
  • Troubleshoot Account Access
  • Account Preferences
  • Settings Overview
  • Teams and Organizations
  • Support

Receivables Controls

Understand which team preferences are stored in Settings and which recovery-policy steps actually drive Auto-chase.

Settings Overview

Understand which settings affect you, the active workspace, billing, integrations, and customer-facing operations.

On this page

Personal MFA DevicesAdd an authenticatorRemove an authenticatorWorkspace MFA PolicyApplied and Saved Workspace PoliciesConfigure the Enforced MFA PolicyIP RestrictionsAudit and Data-Retention SettingsSSO and OrganizationsAccount and Workspace DeletionDelete your accountDelete a workspaceAccess RecoveryTroubleshootingA security policy save is rejectedIP restrictions are enabled but access still works elsewhereA new member is not prompted for MFAI cannot remove my last factorI changed Session Timeout but remained signed inRelated Pages

Eigenn docs

current product

Overview
Overview
OverviewAccount PreferencesAssistant AutomationAssistant Command CenterBank ConnectionsBilling and UsageBudgets and ForecastCommand CenterCustomer LifecycleCustomer RecordsCustomersDeveloper PlatformDocument Processing and ExtractionDocument VaultFinancial Analytics and ReportsFinancial OverviewInvoice InsightsInvoice ProductsInvoicesMarketplace IntegrationsNotifications and BrandingOnboarding and SupportOverviewReceivablesReceivables AnalyticsReceivables ControlsSecurity and AccessSettings OverviewStress TestsTeams and OrganizationsTone Profiles and ExperimentsTransaction Categories and RulesTransactionsWeekly Finance RitualWorkflow ExecutionsWorkflow PausesWorkflowsWorkspace Inbox and Approvals
OverviewBuild and Review a ForecastBuild Your First WorkflowConfigure Assistant OperationsConfigure Notifications and BrandingConfigure Receivables ControlsConnect Transaction RecordsCreate and Manage CustomersCreate and Send InvoicesDeveloper API SetupFirst Cash ReviewInvoice Collection WorkflowMaintain Transaction RulesManage Security and BillingManage Team AccessManage the Invoice LifecycleMCP WorkflowsMonitor and Recover WorkflowsOrganize and Share DocumentsProcess Inbox ItemsReconcile and Categorize TransactionsReview a Customer Finance RecordRun a Finance Operating ReviewRun a Receivables Tone ExperimentRun a Runway Stress TestRun Your First Command Center ReviewSet Up a WorkspaceTroubleshoot Account AccessWebhook DeliveryWeekly CFO Review
OverviewIntegrationsMCPSDKsWebhooks
OverviewAuthenticationBank Accounts APICustomers APIErrorsForecasts and Stress Tests APIInvoice Payments APIInvoices APIPaginationRate LimitsTransactions APIWebhooks API StatusWorkflows API Status
Overview
Overview