Overview
Security is where carrier, MGA, and wholesaler administrators tighten organization-wide sign-in for the Turris platform. Today it controls a single but critical lever: requiring every member of your organization to use SMS-based one-time password (OTP) multi-factor authentication on top of the email magic-link login.
What is Security Settings?
Security Settings is the Organization sub-page inside the Settings modal that hardens how members of your organization authenticate into Turris. Instead of leaving multi-factor authentication to each member's own choice, an administrator can flip one toggle and enforce SMS OTP for everyone in the organization in a single action.
Who uses it. Compliance officers, IT administrators, and security leads at carriers, MGAs, and wholesalers, typically the same person who manages user invitations and role assignments under Users (Settings). Their job is to make sure access to producer, policy, and compliance data is protected by a second factor without depending on every member to opt in on their own.
You use Security Settings to:
Enforce a second factor at sign-in so a stolen email password alone cannot reach producer or policy data.
Apply the policy once for the whole organization rather than asking each member to enable MFA on their own profile.
Lock the requirement against silent rollback so it cannot be turned off later by a member who gains access to settings.
See at a glance whether SMS OTP is currently optional or required across your organization.
Accessing Security Settings
Security lives behind the global Settings modal, not on a dedicated page, so you can open it from anywhere in the platform.
In the Left sidebar of any Turris page, click Settings (the gear icon at the bottom of the sidebar).
The Settings modal opens with a searchable, grouped navigation column on the left.
In the Organization group, click Security (the fingerprint icon). You can also type
Securityinto the Search settings box at the top of the navigation column to jump straight to it.
What's visible on the page:
Element | Description |
Security banner | Headed "Security" with a one-line summary: "You can configure your organization's security settings, including authentication and authorization." |
Require SMS OTP label | The name of the policy, with a question-mark popover that reads: "Requires all members of this organization to add their mobile phone number as a second authentication factor." |
Require SMS OTP toggle | A right-aligned switch that turns the organization-wide SMS OTP requirement on. Once on, the switch is disabled and cannot be turned back off from this screen. |
Support help icon | A second question-mark popover that appears once SMS OTP is enabled, pointing to |
Note: The Security entry only appears in the Settings navigation if your role grants the Security setting permission. Members without that permission do not see the option at all, which is by design: only users authorized to change organization-wide security policy can reach the page.
Enabling Require SMS OTP
When you'd do this. Your organization handles licensing, appointment, and policy data on behalf of agencies and producers, and you want every member's account protected by a second factor at sign-in, without relying on each person to enable MFA on their own profile.
Open Left sidebar → Settings → Organization → Security.
Find the Require SMS OTP row in the right panel.
Click the Require SMS OTP toggle to switch it on.
A confirmation modal opens with the heading Require SMS OTP For All Members? and the message: "You will need to contact support to undo this change. Please confirm that you want to require SMS OTP for all organization members."
Click Require SMS OTP to confirm, or Cancel to back out without changing the policy.
On confirmation, the toggle slides to the on state and a green success alert reading "Organization updated successfully" appears.
After confirmation, three things change immediately:
The toggle becomes disabled in the UI. You cannot switch it back off from this screen.
A question-mark icon appears next to the toggle. Its popover reads: "To disable SMS OTP, please contact support at support@turrisfi.com."
Every member is required to register a phone number and complete SMS verification the next time they sign in. Sessions that are already active are not forced to log out.
Warning: Enabling Require SMS OTP cannot be reversed from this page. The toggle is intentionally one-way to prevent accidental rollback or a downgrade by a member who later gains access to settings.
Tip: Send your team a heads-up before flipping the toggle. Members will be prompted for a phone number on their next sign-in, and roaming or international users may need to confirm their carrier can receive SMS from US numbers.
Disabling Require SMS OTP
When you'd do this. You enabled SMS OTP earlier and now need to roll it back, for example because you are switching to a different MFA method, troubleshooting an SMS delivery problem with a member's carrier, or temporarily relaxing the policy during planned maintenance.
Because the toggle is disabled in the UI once enabled, deactivation goes through Turris support:
From an account associated with your organization, email
support@turrisfi.com.Include your organization name and confirm that you want SMS OTP made optional again.
Wait for Turris support to confirm the change has been applied.
Re-open Settings → Security. The Require SMS OTP toggle is interactive again and shows the off state.
Note: Until support applies the change, every member continues to be prompted for SMS OTP at sign-in. Sessions that were already active before you requested the rollback remain valid.
Visual and Status Elements
State | Label | Meaning | What to do about it |
Toggle off (gray) | Require SMS OTP | SMS OTP is optional. Individual members may still opt in on their own profile, but it is not enforced organization-wide. | Decide whether your security posture requires MFA. If yes, enable the toggle and confirm. |
Toggle on (active color), interactive | Require SMS OTP | You are enabling the requirement. Clicking the toggle opens the confirmation modal. | Click Require SMS OTP in the modal to confirm, or Cancel if you're not ready. |
Toggle on (active color), disabled | Require SMS OTP | SMS OTP is currently enforced organization-wide and the toggle cannot be turned off from the UI. | If you need to disable it, email |
Green success alert | "Organization updated successfully" | The policy change was applied. | No action needed. Members will be prompted for SMS OTP on next sign-in. |
Red error alert | "Failed to update organization: ..." or "You do not have permission to update security OTP settings." | The change failed because of a server error, or because your role does not allow updating security settings. | Confirm your role grants the Security setting permission, then retry. If the error persists, email |
Frequently Asked Questions
Who can change Security settings? Members whose role grants the Security setting permission. Members without that permission do not see the Security entry in the Settings navigation, and if they reach it through a direct link the toggle rejects any change with a permission error.
Why is the toggle grayed out after I enable it? Disabling SMS OTP is intentionally locked behind a support request so the requirement cannot be turned off accidentally or by a member who later gains access to settings. This protects the organization from a one-click rollback of a security policy that took deliberate action to enable.
Will members who are already signed in be logged out? No. Existing sessions remain valid, but every member is required to register a phone number and complete SMS verification on their next sign-in.
What if a member cannot receive SMS messages? Email support@turrisfi.com. Support can reset that member's MFA so they can register a new phone number, or temporarily make SMS OTP optional for the whole organization while you troubleshoot.
Does enabling SMS OTP affect API clients or restricted access tokens? No. Programmatic access configured under the API (Settings) page authenticates with OAuth 2.0 client credentials and restricted access tokens, which do not use a magic link or SMS code. Member-level SMS OTP enforcement does not change how those credentials authenticate.
What if I do not have permission to update the page? The toggle still reflects the current state, but clicking it triggers a red error alert reading "You do not have permission to update security OTP settings." Ask an administrator with the Security setting permission to make the change, or update your role under Users (Settings).
Best Practices
Announce the change before flipping the toggle. Give your team at least a day's notice so members can confirm their phone numbers are ready to register before they are blocked at the next sign-in.
Verify mobile coverage for every member. International users and roaming team members should confirm their carrier accepts SMS from US numbers before you enforce the requirement.
Decide on the deactivation path in advance. Identify the administrator who would email
support@turrisfi.comif you ever need to roll the policy back, so the response is not delayed by figuring out who has authority.Re-audit the Security setting permission quarterly. During role reviews under Users (Settings), confirm that only members who should be able to change organization-wide security policy still hold the permission.
Re-check the Security page after every support rollback. If you ask support to disable SMS OTP, re-open Security after they confirm and verify the toggle is interactive again before assuming the policy has changed.
Related Pages
Agency Onboarding: Payment Details - Decide whether every invited agency must submit banking information before finishing onboarding.
Agency Onboarding: Pre-Contract Review - Decide whether invited agencies pause for a manual review before the producer agreement is sent.
Agency Onboarding: Upload Documents - Decide which compliance documents an invited agency must upload during onboarding.
API (Settings) - Generate API client credentials and restricted access tokens for backend and frontend integrations.
Settings: Business Rules - Configure organization-wide defaults for coverage, onboarding automation, screening, and policy compliance.
Agency Onboarding: Custom Questions - Build a custom drag-and-drop step that captures extra information during agency onboarding.
Settings: Email Domain - Register a custom sending domain so outgoing platform emails come from your own brand.
Settings: Integrations - Connect Turris to third-party tools such as HubSpot to keep agency and contact data in sync.
Settings: Personal Notifications - Choose which compliance, lifecycle, license, and policy events trigger emails or in-app alerts for your own account.
Settings: Template Agreements - Upload and manage the producer agreement templates used when inviting agencies.
Agency Onboarding Settings: Product and State Selections - Decide whether agencies pick distribution products and states during onboarding.
Settings: Products & Compliance - Define the products you distribute and the state-by-state license and appointment requirements that govern them.
Users (Settings) - Invite users, manage roles, and remove members who no longer need access.
Settings: Webhook - Register HTTPS endpoints that receive automated notifications when key compliance events occur.
Need Help?
If you have questions about Security Settings or encounter any issues, contact our support team at support@turris.com.