Settings > Security controls how users authenticate and what your org enforces.
Multi-factor authentication (MFA)
TOTP-based 2FA via authenticator apps (Google Authenticator, Authy, 1Password). Three modes:
- Optional — users opt in individually.
- Required for admins — Owner/Admin must enable MFA; others optional.
- Required for everyone — all users must enable MFA; new users are prompted at first login.
Recovery codes
When a user enables MFA, Tormano generates 10 single-use recovery codes for backup access. Print or save them somewhere safe.
Single Sign-On (SSO)
Three options:
- Google — Continue with Google button on the login page.
- Microsoft — Continue with Microsoft button.
- SAML (Enterprise plans) — connect your Okta, Azure AD, OneLogin, etc. Tormano provides the metadata XML to upload to your IdP.
When SAML is configured with Enforce SSO, password login is disabled — users must auth through your IdP. Useful for large orgs that mandate SSO across all SaaS.
Active sessions
Each user can view and revoke their own sessions at /settings/profile > Sessions. Admins can force-logout any user's sessions from /settings/users > [user] > Sessions. Useful when an employee leaves.
Login alerts
Optional email alerts when a user signs in from a new device or location. Toggled per-user in profile settings.