Security Policies
Security policies are the rules your organization sets for how sign-in behaves — how strong passwords must be and how sessions are treated. You manage them on the Policies page under Security.
Password policies
A password policy sets the requirements a user’s password must meet. You can require:
| Requirement | What it enforces |
|---|---|
| Minimum length | Passwords must be at least this long |
| Character classes | Require uppercase, lowercase, digits, and/or special characters |
| History | Prevent reusing a number of previous passwords |
| Expiration | Require a new password after a period |
| Lockout threshold | How many failed attempts trigger a lock |
| MFA escalation | Require a second factor in defined situations |
Session policies
A session policy governs how long people stay signed in and when they must re-authenticate:
| Setting | What it controls |
|---|---|
| Session lifetime | How long a session lasts before it ends |
| Idle timeout | How long an inactive session is kept before it ends |
| Maximum concurrent sessions | How many sessions one person may have at once |
| Re-authentication for sensitive actions | Require signing in again before certain actions |
How policies apply
Policies are set on your organization, and can also be set on a specific realm. When both exist, the realm’s policy takes precedence over the organization’s, so you can hold your production realm to stricter rules than your test realm while keeping a sensible organization-wide default.
Set your policies once, and they define the sign-in expectations for everyone in scope — a single place to express your organization’s security posture.
Related pages
- Multi-Factor Authentication — the second factor a policy can require
- Organizations & Realms — organization-wide versus per-realm rules
- Sessions, Audit & Security — the sessions a policy governs