Security Settings
Security settings control authentication requirements and data protection policies for your organisation. Access: Settings → Organisation → Security (Org Admin only).
Two-Factor Authentication (2FA)
| Setting | Options | Default |
|---|---|---|
| Require 2FA for all members | On / Off | Off |
| Grace period | 0–30 days | 7 days |
Behaviour when 2FA is enforced
- Existing members: Receive a notification on their next login with a countdown to the grace period deadline. They can continue accessing Kazinex during the grace period.
- New members: Must set up 2FA during their first login session before accessing any project.
- After grace period expires: Members who have not set up 2FA are prompted to complete setup on every login before accessing the organisation.
Supported 2FA methods
- TOTP authenticator apps (Google Authenticator, Authy, Microsoft Authenticator)
- Email OTP (fallback, if enabled by Kazinex support)
2FA compliance monitoring
Go to Settings → Team to see 2FA status for each member:
- Enabled — 2FA is set up
- Pending — notified but not yet set up (within grace period)
Tutorial: Org Branding & Security Setup includes a step-by-step 2FA rollout process. See also Security Hardening admin guide for an enterprise rollout checklist.
Default Project Roles
| Setting | Options | Default |
|---|---|---|
| Default role for new project invites | reviewer / initiator / viewer | reviewer |
When a Project Admin invites a new member without specifying a role, this default applies. Change to viewer for projects where you want new members to have read-only access until explicitly upgraded.
File Type Restrictions
| Setting | Options | Default |
|---|---|---|
| Restriction mode | Allow all / Allowlist | Allow all |
| Allowed types (Allowlist mode) | Configure MIME types and extensions | — |
When to use an Allowlist
- Your organisation does not want non-document files (executables, scripts, archives) stored in the document register
- Compliance requirements mandate specific file formats only
- Your storage provider has a known performance issue with certain file types
Configuring the allowlist
- Toggle Restriction mode to Allowlist.
- Click Add File Type → enter extension (
.pdf) and MIME type (application/pdf). - Repeat for each permitted type.
- Click Save.
See File Restrictions guide for recommended allowlists for construction, engineering, and professional services projects.
Guest Access Policy
| Setting | Options | Default |
|---|---|---|
| Allow guest shares | On / Off | On |
| Maximum guest share expiry | 7 / 14 / 30 / 90 days / No limit | No limit |
| Allow download on guest shares | Admin controls only / Sender controls / Off | Sender controls |
Set Maximum guest share expiry to enforce a maximum link duration — individual Project Admins can set shorter expiry but not longer.
What's next
- Security Hardening admin guide — enterprise rollout checklist for 2FA and access policies
- File Restrictions guide — detailed file type configuration
- Settings Overview — all settings sections