Organization Security

此内容尚不支持你的语言。

Capgo provides comprehensive security controls that allow organization administrators to enforce security policies across all members. These features help you meet compliance requirements, protect sensitive data, and maintain a strong security posture.

Overview

The Organization Security settings allow super admins to configure:

Two-Factor Authentication (2FA) Enforcement - Require all members to enable 2FA
Password Policy - Set password complexity requirements
API Key Security - Enforce secure API keys and expiration policies

Accessing Security Settings

Navigate to your organization settings by clicking on your profile
Select Organization Settings
Click on Security in the sidebar

Two-Factor Authentication (2FA) Enforcement

2FA enforcement requires all organization members to have two-factor authentication enabled on their accounts. This adds a critical layer of security by requiring both a password and a verification code.

What Happens When 2FA is Enforced

Members without 2FA are immediately blocked from accessing organization apps
Both the web dashboard and CLI enforce this requirement
New members must enable 2FA before they can access organization resources
The system tracks which members have 2FA enabled in real-time

Enabling 2FA Enforcement

Before enabling, you can see exactly which members will be impacted:

Go to Organization Settings > Security
Review the Members 2FA Status section showing:
- Total members in your organization
- Members with 2FA enabled (compliant)
- Members without 2FA (will be blocked)
Toggle Require 2FA for all members
If members will be impacted, you’ll see a warning with:
- List of affected members and their roles
- Option to copy their email addresses (to notify them)
Confirm to enable enforcement

CLI Support for 2FA Enforcement

You can also manage 2FA enforcement via the CLI:

# Enable 2FA enforcement
npx @capgo/cli organisation set YOUR_ORG_ID --enforce-2fa

# Disable 2FA enforcement
npx @capgo/cli organisation set YOUR_ORG_ID --no-enforce-2fa

# Check member 2FA status
npx @capgo/cli organisation members YOUR_ORG_ID

For detailed information about 2FA enforcement, see the 2FA Enforcement guide.

Password Policy

Password policies allow you to enforce password complexity requirements for all organization members. When a member’s password doesn’t meet the policy requirements, they must update their password before accessing organization resources.

Available Password Requirements

Setting	Description	Range
Minimum Length	Minimum number of characters required	6-128 characters
Require Uppercase	Password must contain at least one uppercase letter (A-Z)	On/Off
Require Number	Password must contain at least one digit (0-9)	On/Off
Require Special Character	Password must contain at least one special character (!@#$%^&*, etc.)	On/Off

Enabling Password Policy

Go to Organization Settings > Security
Find the Password Policy section
Toggle Enforce password policy to enable
Configure your requirements:
- Set the minimum password length (default: 10)
- Enable/disable uppercase letter requirement
- Enable/disable number requirement
- Enable/disable special character requirement
Changes are saved automatically

Member Compliance Tracking

When a password policy is active, you can monitor compliance:

Total Members: Number of members in your organization
Compliant: Members whose passwords meet the policy requirements
Non-Compliant: Members who need to update their passwords

Non-compliant members are listed with their email addresses. You can copy the email list to notify them about the policy and required password changes.

Best Practices for Password Policies

Start with reasonable requirements: A minimum of 10-12 characters with mixed case and numbers provides good security without being overly restrictive
Communicate changes: Notify your team before enabling new password requirements
Allow transition time: Give members time to update their passwords
Consider password managers: Recommend that team members use password managers to generate and store strong passwords

API Key Security

Capgo provides two security controls for API keys: enforcing secure (hashed) API keys and requiring expiration dates.

Enforce Secure API Keys

When enabled, this setting requires all API keys in your organization to be created using the secure/hashed format. Hashed API keys are more secure because:

The actual key value is never stored on our servers
Only you (and your systems) have access to the full key
Even if our database were compromised, your keys couldn’t be used

Enabling Secure API Keys

Go to Organization Settings > Security
Find the API Key Policy section
Toggle Enforce secure API keys
Existing keys are not affected; the policy applies to new key creation

API Key Expiration Policy

You can require all API keys to have an expiration date, limiting their validity period. This is a security best practice that:

Limits the window of exposure if a key is compromised
Ensures regular key rotation
Helps meet compliance requirements for credential management

Configuring Expiration Policy

Go to Organization Settings > Security
Find the API Key Policy section
Toggle Require API key expiration
Set the Maximum expiration days (1-365 days)
- This limits how far in the future expiration dates can be set
- Example: Setting 90 days means keys can expire at most 90 days from creation

Recommended API Key Policies

Use Case	Secure Keys	Expiration	Max Days
Development	Recommended	Optional	30-90
CI/CD Pipelines	Required	Required	90-180
Production	Required	Required	30-90
Enterprise/Compliance	Required	Required	30-60

Compliance and Auditing

Organization security features help you meet various compliance requirements:

Standard	Relevant Features
SOC 2	2FA enforcement, password policies, API key controls
ISO 27001	All security features help demonstrate access control
HIPAA	Strong authentication and access management
GDPR	Data protection through access controls
PCI DSS	Multi-factor authentication, strong passwords

Monitoring Compliance Status

The Security dashboard provides real-time visibility into:

How many members have 2FA enabled
Password policy compliance across your organization
API key security adoption

Use the “Copy email list” feature to easily export lists of non-compliant members for targeted communication.

Troubleshooting

”Access Denied: Security policy not met”

Problem: A member cannot access the organization.

Solutions:

Check if 2FA is enforced - member needs to enable 2FA
Check if password policy is active - member needs to update their password
Verify the member’s compliance status in the Security dashboard

Cannot enable security features

Problem: Security toggles are disabled or not responding.

Solutions:

Ensure you have super_admin role in the organization
Check your network connection
Try refreshing the page
Contact support if the issue persists

API key creation fails

Problem: Cannot create new API keys.

Solutions:

If secure keys are enforced, ensure you’re using the secure key creation flow
If expiration is required, set an expiration date within the allowed range
Check the maximum expiration days setting

Organization Security

Overview

Accessing Security Settings

Two-Factor Authentication (2FA) Enforcement

What Happens When 2FA is Enforced

Enabling 2FA Enforcement

CLI Support for 2FA Enforcement

Password Policy

Available Password Requirements

Enabling Password Policy

Member Compliance Tracking

Best Practices for Password Policies

API Key Security

Enforce Secure API Keys

Enabling Secure API Keys

API Key Expiration Policy

Configuring Expiration Policy

Recommended API Key Policies

Compliance and Auditing

Monitoring Compliance Status

Troubleshooting

”Access Denied: Security policy not met”

Cannot enable security features

API key creation fails

Next Steps