Security Settings
Configure organization-wide authentication policy, single sign-on (SSO), session behavior, and password requirements for your Ascent organization.
Overview
Security settings let you:
- Require multi-factor authentication (MFA) for all members, with an optional grace period
- Allow passwordless login for users who have registered a security key or passkey
- Configure single sign-on (SSO) providers and just-in-time user provisioning
- Set session timeout, login attempt limits, and lockout duration
- Configure the organization password policy (length and character requirements)
These settings apply to everyone in the organization. Individual users enable MFA methods and register passkeys on their own account — see Personal MFA and passkeys below.
Navigate to Security
Go to Org Settings in the Admin section of the left sidebar, then open the
Security tab. There is no dedicated Security item in the sidebar — Security is
one of the tabs on the Org Settings page (/settings?tab=security).
The Security tab and its underlying API require the Owner or Admin role. Members without one of those roles cannot view or change these settings.
Single Sign-On (SSO)
The Single Sign-On (SSO) card lets you connect external identity providers so members can sign in with their existing corporate accounts.
Email domain and password authentication
| Setting | Description |
|---|---|
| Email Domain | Users whose email matches this domain can be auto-provisioned (created) on their first SSO login — known as just-in-time (JIT) provisioning. Enter the domain (for example example.com) and click Save. |
| Password Authentication | When on, users can sign in with email and password. You can only turn this off once at least one SSO provider is enabled, so you don't lock everyone out. |
Configured providers
Ascent supports four provider types:
| Provider | Required fields |
|---|---|
| Microsoft (Azure AD) | Client ID, Client Secret, Tenant ID |
| Client ID, Client Secret | |
| Authentik | Client ID, Client Secret, Issuer URL |
| Custom OIDC | Client ID, Client Secret, Issuer URL |
To add a provider:
- Under Configured Providers, click Add Provider.
- Copy the callback URL shown at the top of the dialog into your identity provider's redirect/callback configuration.
- Select the Provider type.
- Enter the Client ID and Client Secret.
- For Microsoft, enter the Tenant ID. For Authentik or Custom OIDC, enter the Issuer URL.
- Optionally set a Display Name — custom text shown on the login button.
- Click Add Provider.
Each configured provider can be toggled on or off, edited, or deleted from the list. When editing a provider, leave the Client Secret blank to keep the existing one, or enter a new value to replace it.
Multi-Factor Authentication (organization policy)
The Multi-Factor Authentication card sets the org-wide MFA requirement.
| Setting | Description |
|---|---|
| Require MFA | When on, every member must have at least one MFA factor (an authenticator app or a security key) configured. Members who don't are blocked from the app and shown a mandatory MFA-setup screen the next time they open it — see What members experience below. |
| Grace Period (Days) | Shown when Require MFA is on. Records how long users are intended to have to set up MFA after the requirement is enabled. Options: No grace period, 1 day, 3 days, 7 days, 14 days. Note: the blocking MFA-setup gate currently takes effect immediately for members without a factor — the grace period is stored as an organization policy value but does not yet defer the gate. |
| Allow Passwordless Login | When on, users with a registered security key can sign in without entering a password. |
What members experience when Require MFA is on
Once you turn Require MFA on, the requirement is enforced for every member, no matter how they sign in — both password and single sign-on (SSO) users are treated the same:
- A member who already has an authenticator app or a security key configured is unaffected and continues to work normally.
- A member with no MFA factor is sent to a blocking Set up MFA screen as soon as they open the app. They can't reach tickets, clients, billing, or any other organization page until they configure a factor (authenticator app or security key). They can still sign out from this screen.
This is enforced on the server, so it can't be skipped — a member can't bypass the screen by navigating directly to a URL. SSO members who were provisioned without ever setting up MFA are gated the same way on their next visit.
The following are not subject to the member MFA requirement:
- API keys — programmatic, non-interactive integrations authenticate with an API key rather than a user session, so they are exempt.
- Ascent platform administrators acting on your organization (including "View as organization" support sessions) — they are governed by platform security policy, not your organization's member policy.
Members without a factor are gated immediately when you enable Require MFA. Before turning it on, give your team advance notice to set up an authenticator app or security key so they aren't unexpectedly locked out of the app on their next visit.
Session Settings
The Session Settings card controls how sessions expire and how failed logins are handled.
| Setting | Options |
|---|---|
| Session Timeout | 15 minutes, 30 minutes, 1 hour, 2 hours, 8 hours, or 24 hours |
| Max Login Attempts | 3, 5, or 10 attempts before lockout |
| Lockout Duration | 5 minutes, 15 minutes, 30 minutes, or 1 hour — how long users are locked out after exceeding the max login attempts |
Password Policy
The Password Policy card lets you record the password requirements for your organization.
| Setting | Options |
|---|---|
| Minimum Length | 8, 10, 12, or 16 characters |
| Require uppercase letters | On / Off |
| Require numbers | On / Off |
| Require special characters | On / Off |
These values are saved on the organization. Note that the in-app Change Password form on a member's Profile Settings page currently enforces a fixed minimum of 8 characters rather than the values configured here.
After adjusting MFA, session, or password settings, click Save Security Settings to apply your changes. (The Single Sign-On settings above save separately as you edit them.)
Personal MFA and passkeys
Org-wide policy is set here in Security, but each user enables their own MFA methods on their Profile Settings page (the Multi-Factor Authentication section). Available methods:
- Authenticator App — Scan a QR code (or enter the secret manually) with a time-based one-time password (TOTP) app like Google Authenticator or Authy, then enter the 6-digit code to enable. Clicking Disable opens a confirmation dialog: password users re-enter their password to confirm, while SSO-only users (who have no Ascent password) simply confirm, since their signed-in session is sufficient.
- Security Keys & Passkeys — Register hardware keys or biometric passkeys via WebAuthn with Add Key. Each registered key is listed with the date it was added and last used, and can be removed individually.
When an authenticator app is enabled, Ascent generates one-time recovery codes that can be used to complete sign-in if your authenticator is unavailable. (The recovery codes themselves are not displayed on the Profile Settings page.)
Best Practices
- Require MFA for all members. Because un-enrolled members are gated immediately when you enable it, give your team advance notice to enroll first.
- Prefer security keys or passkeys over codes where possible — they resist phishing.
- Keep password authentication enabled until SSO is fully tested for your whole team, then disable it to enforce SSO.
- Set a reasonable session timeout that balances convenience against the risk of unattended sessions.
- Register more than one MFA method (for example, both an authenticator app and a passkey) so you keep access if one device is lost.