Overview

Obeya Cloud is designed with security as a priority. This guide covers the security features available to organization admins, including authentication policies, session management, and data protection.

Two-Factor Authentication (2FA)

Enabling 2FA for Your Account

1

Open Security Settings

Go to your Profile > Security > Two-Factor Authentication.
2

Choose Method

Select your preferred 2FA method:
  • Authenticator App (Google Authenticator, Authy, 1Password)
  • SMS (phone number verification)
  • Security Key (WebAuthn/FIDO2 hardware keys like YubiKey)
3

Verify Setup

Scan the QR code with your authenticator app and enter the verification code to confirm.
4

Save Recovery Codes

Download and securely store your recovery codes. These are needed if you lose access to your 2FA device.

Enforcing 2FA for All Members

Admins can require 2FA for all organization members:
  1. Go to Settings > Security > Authentication
  2. Toggle Require Two-Factor Authentication
  3. Set a grace period (e.g., 7 days) for existing members to enable 2FA
When 2FA is enforced, members who have not set up 2FA will be prompted on every login. After the grace period, they will be locked out until 2FA is configured.

Single Sign-On (SSO)

Business and Enterprise plans support SSO via SAML 2.0 and OpenID Connect (OIDC).

Supported Identity Providers

  • Okta
  • Microsoft Entra ID (Azure AD)
  • Google Workspace
  • OneLogin
  • Auth0
  • Any SAML 2.0 compliant provider

Configuring SSO

1

Open SSO Settings

Go to Settings > Security > Single Sign-On.
2

Choose Protocol

Select SAML 2.0 or OIDC based on your identity provider.
3

Enter Provider Details

For SAML: Enter the SSO URL, Entity ID, and upload the IdP certificate. For OIDC: Enter the Client ID, Client Secret, and Discovery URL.
4

Test Configuration

Click Test SSO to verify the configuration before enforcing it.
5

Enforce SSO

Optionally require all members to sign in via SSO. Password-based login will be disabled.

Session Management

SettingDescriptionDefault
Session DurationHow long a session stays active30 days
Idle TimeoutAuto-logout after inactivity8 hours
Concurrent SessionsMax active sessions per userUnlimited
Remember MeAllow persistent login cookiesEnabled

Active Sessions

Users can view and revoke their active sessions from Profile > Security > Active Sessions. Admins can revoke sessions for any user from the member management page.

Password Policy

Configure password requirements for email-based authentication:
  • Minimum length — Default: 8 characters, configurable up to 128
  • Complexity requirements — Require uppercase, lowercase, numbers, and special characters
  • Password history — Prevent reusing the last N passwords
  • Expiration — Force password changes every N days (optional)
  • Breached password check — Reject passwords found in known data breaches (via HaveIBeenPwned)

IP Allowlisting

Enterprise plans can restrict access to specific IP addresses or CIDR ranges. Go to Settings > Security > IP Allowlist to configure. Members accessing from non-allowed IPs will be denied access.

Audit Log

The audit log records all security-relevant events:
  • Login attempts (successful and failed)
  • Password changes
  • 2FA changes
  • Role changes
  • Member invitations and removals
  • SSO configuration changes
  • Data exports
Access the audit log from Settings > Security > Audit Log. Logs are retained for 1 year (Enterprise: unlimited).
Audit logs can be exported as CSV or streamed to your SIEM system via webhook on Enterprise plans.