Security settings
mizuiro handles the platform-level security decisions behind the scenes. This page covers the settings that are yours to configure - the controls that let you tune the balance between security and convenience for your specific team.
All of the settings below are at Settings - Security.
2FA is mandatory for every account in your company and can’t be turned off. What you can control is how often your team is prompted for it.
When Allow trusted browsers is on, the 2FA prompt shows a “Trust this browser for 30 days” checkbox. A team member who checks it won’t be asked for their 2FA code again on that browser for 30 days - just their password.
This is off by default. It’s worth turning on for teams that sign in multiple times a day from the same device, where the constant 2FA prompts are getting in the way of actual work.
Trust is revoked automatically if a team member changes their password, resets their 2FA, or if you turn this setting off. Each person can have up to five trusted browsers at a time; the oldest is dropped when a new one is added.
WarningTrusted browsers soften 2FA from “every sign-in” to “once a month per device.” That’s a reasonable trade for most small teams. If your company handles particularly sensitive data and you’d rather keep the prompts on every sign-in, leave this off.
Recovery codes are eight single-use codes that serve as a last resort if someone loses access to their 2FA device. They were generated during your company’s setup wizard and should be stored somewhere offline and safe.
If you’ve used codes or need to rotate them, click Regenerate recovery codes under Settings - Security - Recovery codes. The old codes stop working immediately when new ones are generated.
If someone on your team loses their phone or authenticator app and doesn’t have a recovery code, you can reset their 2FA from their profile page. Go to Sidebar - People - [their name] - Reset 2FA. They’ll be walked through setup again on their next sign-in, and all their active sessions will be terminated immediately.
WarningVerify who you’re talking to before resetting anyone’s 2FA. A 2FA reset is exactly what an account takeover attempt looks like. Confirm the person’s identity through a trusted channel - a video call, an in-person conversation, or a message through a channel you know is theirs - before acting on the request.
By default, signed-in sessions expire after a period of inactivity. You can adjust the inactivity timeout for your company under Settings - Security. Shorter timeouts are more secure; longer ones are more convenient for teams that leave the app open throughout the day.
Sessions also have a hard maximum of eight hours regardless of activity, after which everyone is asked to sign in again.
If your team is based in one country and you want to prevent sign-ins from anywhere else, you can set an allowed country list under Settings - Security. Sign-in attempts from outside the allowed countries will be blocked.
This is off by default and optional. It’s most useful for companies that have no reason to allow access from outside their home country and want an extra layer of protection against remote account compromise.
WarningTest this carefully before relying on it. If you’re travelling or if a team member is working remotely from another country, they’ll be blocked. Make sure you have a plan for legitimate exceptions before enabling country restrictions.
For tighter control, you can restrict sign-ins to specific IP addresses or ranges under Settings - Security. This is useful if your whole team works from a fixed office network and you want to ensure access is only possible from that location.
Like country restrictions, this is off by default and should be tested before you rely on it. Locking yourself out via an IP restriction can only be resolved by contacting mizuiro support.