Set up authentication

Email + MFA

Every Console user signs in with email and is required to enrol an authenticator app on second login. Recovery codes are issued at enrolment — store them in your password manager, not on paper.

SSO

For SAML or OIDC, see Admin → SSO. Once SSO is on, email-only sign-in is disabled by default for that tenant.

Step-up auth

High-impact actions (deleting a tenant, changing roles, exporting raw evidence) re-prompt for MFA even within a valid session.