MFA Now Required
MFA is now required for all CircleCI accounts that use email and password Authentication. Customers with active sessions will be prompted to setup MFA when their session expires.
For more information see the docs.
Web Interface Session Length Has Changed
- Active user session timeout reduced from 1 year to 30 days
- Inactive user session timeout reduced from 2 weeks to 3 days
What This Means
- Active user sessions will be required to re-authenticate after 30 days (previously 1 year).
- Inactive accounts will be required to re-authenticate after 3 days (previous 2 weeks).
-
- Email and password authentication users will be required to setup MFA on re-authentication.
- SSO customers can still set custom session timeouts via their IdP provider.
- This change applies to all CircleCI web interface sessions.
Why We’re Making This Change
The session length update brings CircleCI in line with NIST (National Institute of Standards and Technology) recommended security practices and reduces the risk of unauthorized access from dormant sessions.
MFA required for all email and password authentication accounts improves overall account security and aligns with industry best practices.