Security settings give Super Admins the controls needed to meet enterprise security requirements: password policies (length, complexity, expiry, reuse), multi-factor authentication, session timeout, IP allowlists, and login attempt rate limits. Tighten or loosen each setting to match your organization’s risk profile. Open security settings from your Admin Hub → Platform Settings → Security. The URL is a sub-page; navigation breadcrumb only.Documentation Index
Fetch the complete documentation index at: https://empuls.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Before you start
- You must be a Super Admin.
- Some settings (IP allowlist, MFA enforcement) can lock users out if misconfigured. Test with a small admin group before applying org-wide.
- Coordinate password policy with your SSO setup. If SSO is the only login method, password policy applies only to fallback admin accounts.
Password policy
| Setting | Default | Recommended |
|---|---|---|
| Minimum length | 8 characters | 12+ for sensitive orgs |
| Require uppercase | Off | On |
| Require lowercase | Off | On |
| Require digit | Off | On |
| Require special character | Off | On |
| Password expiry | 90 days | 90 days for non-SSO accounts; off if SSO is mandatory |
| Password history (prevent reuse) | Last 5 | Last 12 for sensitive orgs |
| Force reset on first login | On | Keep on |
Multi-factor authentication (MFA)
Empuls supports MFA via:- TOTP authenticator app (Google Authenticator, Authy, 1Password)
- Email OTP (one-time code to the registered email)
- SMS OTP (one-time code to the registered mobile number, where configured)
Choose required MFA methods
Pick one or more methods. Users will be prompted to set up at least one on next sign-in.
Choose enforcement scope
- All users
- Admin users only
- Specific roles — e.g., Super Admins and Finance Admins
Set grace period
New users have a grace period (default 7 days) to enroll. After that, they can’t access Empuls without completing MFA setup.
Session timeout
Set how long an idle session stays valid before the user must re-authenticate:- Web — 8 hours default; common values 1h (high-security), 4h, 8h, 24h
- Mobile — 30 days default; common values 7d, 14d, 30d
- MS Teams / Slack — Inherits the host app’s session
IP allowlist
Restrict Empuls access to specific IP ranges (typically your VPN egress IPs):Toggle IP allowlist on
A warning banner reminds you that this can lock out users not on the allowlist.
Test from outside the allowlist
Try to access Empuls from a non-allowlisted IP (e.g., your mobile data) — you should be blocked.
Login attempt limits
Empuls automatically locks accounts after repeated failed login attempts:- Threshold — Default 5 failed attempts in 15 minutes
- Lockout duration — Default 30 minutes; admins can unlock manually
- Notification — Failed attempts above the threshold notify the user and the security admin
Audit log
Every security-settings change creates an audit-log entry. View the log from the Audit sub-tab. Each entry includes the actor, the setting changed, the old and new values, and timestamp.Limits and gotchas
- Locking yourself out via IP allowlist is recoverable only via support — keep a bypass account.
- MFA enrollment is per-user; admins can’t pre-enroll on behalf of users.
- Session timeout changes don’t affect already-authenticated sessions until they expire naturally.
- Password policy changes apply only to direct-login accounts. SSO-only orgs see no effect.
Related
- SSO overview — Federated identity that often supersedes Empuls password policy.
- Access control — Pair with security settings for role-based hardening.
- Manage employees — Unlock individual accounts when needed.