Security and MFA
Security features available in WatchTower for operators and administrators.
Section
Security controls in WatchTower
- role-based access control
- HttpOnly session cookies for console access
- organization-scoped ingestion API keys
- invite-based user onboarding
- audit logs for sensitive actions
- MFA with TOTP authenticator apps
- password reset and change-password flows
Section
MFA
Users can enroll in MFA from the Security tab using QR code setup or manual secret copy with authenticator apps such as 1Password, Google Authenticator, or Microsoft Authenticator.
Section
Password management
- forgot password
- reset token verification
- password reset completion
- authenticated password change
Section
Team access
- active members
- pending invites
- member roles
- least-privilege access
Section
Recommended practices
- require MFA for administrators and risk leads
- rotate ingestion keys when integrations change
- keep platform-admin access tightly controlled
- review audit logs for sensitive operational changes
Operator security baseline
Treat WatchTower as a production operations system. Strong access control and key hygiene should be part of the default rollout, not an afterthought.