Sign In Policy
Configure the baseline requirements for signing in to the Twingate Client.
The Sign In Policy defines the requirements that every user must meet to sign in to the Twingate Client. It acts as the first gate — users cannot view or access any Resources until the Sign In Policy is satisfied, even if those Resources have more permissive Resource Policies.
The Sign In Policy is configured under the Sign In Policy tab on the Policies page in the Admin Console.
Sign-in Requirements
The Sign In Policy has three configurable requirements:
Device Security
The user’s device must meet either the Approved Operating System requirements or a Trusted Profile defined in Device Profiles. This requirement links directly to the Device Profiles configuration — any changes you make to Device Profiles are automatically reflected in the Sign In Policy.
Devices that do not meet the Device Security Requirements are blocked from signing in to Twingate entirely.
Authentication Frequency
The authentication frequency determines how often a user must re-authenticate via your identity provider (IdP) to maintain their sign-in session. Available intervals range from 7 days up to every 31 days.
The sign-in session timer uses a rolling window — it resets each time a Resource Policy re-authentication succeeds. This means users who are actively accessing authenticated Resources will have their sign-in session extended automatically.
If the sign-in session does expire, the user is signed out of the Twingate Client. To sign back in, Twingate will prompt the user to authenticate through the IdP.
MFA
You can require Twingate’s native multi-factor authentication at sign-in. When enabled, users must complete MFA each time they sign in to the Client — the frequency is tied to the authentication frequency above.
If you already require MFA through your IdP, enabling it in the Sign In Policy as well will result in users completing MFA twice during authentication. In most cases, configure MFA in one place — either the IdP or the Sign In Policy — not both.
How the Sign In Policy Relates to Resource Policies
The Sign In Policy and Resource Policies serve different purposes:
- The Sign In Policy controls whether the user can sign in to the Client at all. It is evaluated once at sign-in and again when the session timer expires.
- Resource Policies control whether the user can access a specific Resource. They are evaluated each time the user accesses a Resource and the policy’s authentication timer has expired.
Because Resource Policies provide per-Resource security controls, the Sign In Policy does not need to be restrictive. A lenient Sign In Policy (for example, 30 days) reduces the frequency of full sign-in prompts while Resource Policies enforce stricter requirements where needed.
Sign-in sessions persist across restarts
The sign-in session is maintained when the Twingate Client restarts or the device reboots — the user does not need to re-authenticate unless the sign-in session timer has expired or they explicitly sign out. Resource Policy sessions, by contrast, are not maintained across restarts.
Admin Console Security
The Admin Console has its own separate sign-in policy, configured under Settings > Admin Console Security. This policy governs access to the Admin Console only and is independent of the Sign In Policy for the Client.
Last updated 38 minutes ago