Skip to content

Users, roles & 2FA

Managing who can sign in to the dashboard, what they can do, and securing those accounts.

Roles

RoleScopeCan do
memberone tenantview the workspace
tenant_adminone tenantmanage that tenant's policy, collectors, approvals, users
kilasec_staffall tenantseverything above across every tenant, plus Fleet health and impersonation

Roles are set on the server, not self-selected. Customers get member / tenant_admin; Kilasec operators are kilasec_staff.

Inviting people

Access is invite-based — there's no open signup.

  • A customer admin is onboarded via an invite link (staff mint it on the Invites page). The link is single-use, time-bounded (default 72h), and revocable. Redeeming it creates their account and signs them in.
  • Additional teammates are added by an existing admin from Users & Roles (see Add a teammate).

Two-factor authentication (2FA)

Kilasec supports authenticator-app 2FA (TOTP) with one-time recovery codes.

Enrolling — in Settings → Two-factor authentication, choose Set up 2FA, scan the QR with any authenticator app (Google Authenticator, 1Password, Authy) or enter the key manually, then confirm with a code. You're shown recovery codes once — save them; each works one time if you lose your authenticator.

Signing in with 2FA — after your password, you're prompted for the 6-digit code (or a recovery code). The password step alone does not create a session on a 2FA account.

Turning it off — requires re-entering your password, so a hijacked session can't silently strip the second factor.

Policy: staff should enroll

2FA is required for Kilasec staff accounts (they hold cross-tenant power) and optional for tenant users. Staff who haven't enrolled see a persistent nudge; it's a strong prompt rather than a hard lock so a misconfiguration can't lock the sole administrator out. Turn it on for staff before onboarding real customers.

Lost authenticator (lockout recovery)

If someone loses their authenticator and burns through their recovery codes, a Kilasec staff admin can reset their 2FA (Users, per-user action) — the user then signs in with just their password and re-enrolls. This is the only way back in, so keep at least one staff account recoverable.

Changing a login email

Login email can be changed without disturbing the password or 2FA (they're keyed to the account, not the address). Staff use the admin CLI on the cloud host:

bash
python -m cloud.admin_cli users set-email old@example.com new@example.com

The account then signs in under the new address with the same password and authenticator.

Documentation for kilasec — the AI Agent Firewall.