Organization Policies

Force all organization members to set up two-factor authentication (TOTP, hardware key, or authenticator app). Members without 2FA will be prompted to configure it at their next sign-in and cannot access the vault until they do.

Non-owner/admin members must sign in through your configured SAML 2.0 or OpenID Connect provider. Direct email/password login is disabled for non-admin members. This ensures your identity provider remains the single source of truth for authentication.

See the SSO Setup Guide for configuration details.

Enforce minimum standards for master passwords across the organization. Configurable options:

• Minimum length — Set a minimum character count (recommended: 12+).
• Require uppercase — At least one uppercase letter.
• Require lowercase — At least one lowercase letter.
• Require numbers — At least one numeric digit.
• Require special characters — At least one symbol, with configurable minimum count.
• Minimum complexity score — An overall complexity threshold combining all criteria.
• Require change on existing passwords — Force members with non-compliant master passwords to update on next sign-in.

Define the maximum vault session timeout and what happens when it expires. Options:

• Max timeout (minutes) — The longest period a vault can stay unlocked while idle.
• Timeout action — Choose between lock (requires master password to re-enter) or sign out (full re-authentication required).

Disable PIN-based unlock on web, browser extension, and desktop clients. This forces members to use their master password or biometrics, preventing the use of weaker PIN codes for vault access.

Automatically block IP addresses after too many failed sign-in attempts. Configurable options:

• Max attempts — Number of failed attempts before blocking (default: 5).
• Window (minutes) — The time window in which attempts are counted (default: 15 minutes).
• Block duration (minutes) — How long the IP stays blocked (default: 30 minutes).

This is enforced server-side — blocked IPs receive a clear error message and must wait for the block to expire.

Allows admins to reset member master passwords. When enabled, admins can initiate a password reset for any member — critical for when an employee forgets their master password but needs continued access to organization data.

Members cannot join or create other organizations while they are part of this one. This is a foundational policy that several other policies depend on — it ensures organizational data boundaries cannot be bypassed by joining a second organization.

Non-admin members cannot export vault data to CSV or other formats. This prevents data exfiltration by limiting who can bulk-export credentials. Admins retain export capability for backup and compliance purposes.

Items created within the organization vault belong to the organization, not to individual members. When a member leaves or is removed, their organization items are retained — preventing data loss during offboarding.

Prevents members from creating credit/debit card items in the organization vault. Useful for organizations that handle payment card data separately or need to comply with PCI DSS restrictions on where card data is stored.

Enforce minimum requirements for the built-in password generator so that all generated passwords meet your security standards. Options include:

• Type — Random password or passphrase.
• Minimum length — For random passwords.
• Character requirements — Uppercase, lowercase, numbers, special characters.
• Passphrase options — Minimum word count, capitalize words, include numbers.

Members can still increase requirements above the policy minimum, but cannot go below it.

Automatically enable autofill on page load in the browser extension. When active, the extension will offer to fill credentials without requiring the member to manually trigger it — improving adoption and reducing friction.

Set the default URI matching method used by the browser extension across the organization. Options typically include base domain, host, starts with, exact match, and regular expression. This ensures consistent autofill behavior.

Require members to confirm before the extension autofills credentials on a page. Adds a confirmation step that prevents accidental credential submission on phishing pages or mismatched URLs.

When new members sign up or are invited, they are required to install the Passwall browser extension as part of onboarding. This ensures consistent credential management and autofill availability across the team.

Define rules that restrict organization access based on network criteria. Each rule specifies:

• Type — IP address, CIDR range, or country.
• Value — The specific IP, range (e.g., 10.0.0.0/8), or country code.
• Action — Allow, deny, or report (log only).

Rules are evaluated on every organization API request. Use allowlists for office networks and block known problematic ranges. The "report" action lets you monitor traffic before enforcing blocks.

Prevent users with your claimed email domains from creating Passwall accounts outside of your organization. If your organization owns @yourcompany.com, new sign-ups with that domain will be directed to join your organization instead of creating independent accounts.

Prevent members from sharing vault items with users outside the organization. Sharing is limited to shared collections within the organization boundary. This prevents accidental or intentional data leakage to external parties.

Configure organization-wide defaults for Secure Send. Options include controlling whether the sender's email is visible to recipients by default.

Non-admin members cannot create or edit Secure Send items. This completely disables the Send feature for regular members, while admins retain full access. Use this when your data governance requirements prohibit any external data sharing mechanism.