Skip to main content
The Security page gives you control over authentication requirements, active sessions, and a full audit trail for your workspace. It is organized into three tabs: Settings, Sessions, and Audit Log. Tenant Admins and Owners have full access; regular Users can view their own session information but cannot change organization-wide security settings.

Multi-Factor Authentication (MFA)

Enable MFA for your account

MFA adds a second layer of verification at login using an authenticator app (such as Google Authenticator, Authy, or 1Password). To enable MFA for your own account, go to your user profile settings and follow the prompts to scan the QR code and save backup codes.

Enforce MFA for all users

Tenant Admins can require every workspace member to use MFA.
1

Open Security settings

Navigate to the Security page and ensure you are on the Settings tab.
2

Enable the toggle

Find the Require MFA for all users toggle and switch it on. The change saves immediately.
3

Notify your team

Inform your team members that MFA is now required. Anyone without MFA already configured will be prompted to set it up the next time they log in.
When MFA enforcement is active, users who have not yet configured an authenticator app will be blocked from accessing the platform until they complete MFA setup. They will see a setup prompt on their next login.
To disable enforcement, toggle the setting off. Individual users will still have MFA active on their own accounts — disabling enforcement only removes the login requirement for users who have not set it up.

Encryption

All API credentials you enter in MSP Recapp are protected with AES-256-GCM encryption.
  • Credentials are encrypted server-side using a master key stored in secure vault storage.
  • Credentials are never transmitted to or stored in client-side storage (such as localStorage or cookies).
  • Database connection credentials follow the same encryption model; see Connecting your own database for details.
The Encryption Status card on the Settings tab shows a green confirmation banner when encryption is active, which it always is — there is no configuration required.

Sessions

The Sessions tab lists all currently active login sessions for your account, including device type and session start time. You can review this list to spot any unrecognized sessions. To end a session you do not recognize, select it and click Revoke. This immediately signs out that session and the user will need to log in again.

Audit Log

The Audit Log tab provides a paginated, searchable record of all significant events in your workspace. The following event types are tracked:
Event typeWhat it records
LoginSuccessful user sign-ins
LogoutUser sign-outs
Integration SyncEach time an integration sync is triggered
Settings ChangeChanges to profile, terminology, database, or notification settings
Branding ChangeChanges to logo or sidebar colors
Security ChangeChanges to MFA enforcement or other security settings
User InvitedWhen a new invitation is sent
User RemovedWhen a user is removed from the workspace
Role ChangedWhen a user’s role is updated
MFA EnabledWhen a user enables MFA on their account
MFA DisabledWhen a user disables MFA on their account
Each log entry shows the event type, a human-readable description, the user who triggered it, and a timestamp.

Filtering and exporting logs

Use the search bar to filter by description or user email. Use the event-type dropdown to narrow results to a specific category. Apply a date range by clicking the Date Range button and selecting a preset (Today, Last 7 days, Last 30 days, Last 90 days) or a custom range. Export the current filtered view as CSV or PDF using the buttons in the toolbar.

Security recommendations

Use strong passwords

Require passwords with at least 12 characters, including numbers and symbols. Avoid reusing passwords across services.

Enable MFA

Enable MFA on your own account and consider enforcing it for all users in your workspace. Multi-factor authentication significantly reduces the risk of unauthorized access.

Review user access regularly

Periodically audit your Users page. Remove or disable inactive accounts and verify that admin permissions are granted only to those who need them.