Skip to main content

Alert & Enforcement Controls

Surface Security is designed to protect your employees without getting in their way. These settings let you tune three behaviors to fit your organization: exempting groups from password-reuse enforcement, turning off stale-device alerts, and how breached passwords are handled.


Exempt groups from password-reuse enforcement

By default, Surface Security warns or blocks when an employee reuses a corporate password on another site. Sometimes you need to make an exception — for example, a group of contractors, service accounts, or executives on a temporary carve-out — without turning off enforcement for everyone else.

You can do this from the Policies page.

How to set it up

  1. Go to Dashboard > Policies and create a new policy (or edit an existing one).
  2. Under Scope, choose who the exemption applies to:
    • Everyone — exempts all users in the tenant.
    • Specific Groups — exempts only the groups you select.
  3. Tick Disable password reuse protection.
  4. Save.

That's it — you don't need to add any conditions. Users in the selected scope will no longer be warned or blocked for reusing a password, even while your extension is in enforcement mode.

What it does and doesn't do

  • Reuse is still detected and recorded. You keep full visibility in the dashboard and alerts; the exemption only removes the on-screen warning/block for those users.
  • Other protections stay on. Phishing detection, breached-password warnings, data-loss prevention, and new-site protections all continue to apply to exempted users. Only password-reuse warn/block is suppressed.
  • It's precise. Any custom policies you've written that key off "credential is not reused," or that only raise a silent alert, are unaffected.

Note: This exemption applies to a single tenant. If you manage multiple tenants from an MSSP/organization account, org-level policies do not carry this flag.


Turn off stale-device alerts

Surface Security raises an escalating alert when a device stops checking in:

Inactive forAlert severity
7+ daysLow
14+ daysMedium
21+ daysHigh

If these alerts are noise for your environment — for example, you have many seasonal or shared devices — you can turn them off entirely.

How to set it up

  1. Go to Dashboard > Settings > General.
  2. Tick Disable Stale Device Alerts.
  3. Save.

Devices are still tracked and appear on the Devices page as usual — only the inactivity alerts are suppressed. You can re-enable them at any time.


Breached-password warnings

Surface Security checks whether an employee's password appears in known public data breaches (using a privacy-preserving lookup — the password itself never leaves the device). A breached password is a serious risk: attackers try breached passwords against corporate logins constantly.

Here's how Surface Security handles them.

It warns — it never blocks

A breached password will never lock an employee out of their own account. Instead, the employee sees a clear, dismissable warning encouraging them to change it. This is true regardless of your enforcement mode — even in silent "learning" mode, breached-password warnings are shown, because employee safety comes before rollout tuning.

It warns while they're on the site

If an employee has a breached password saved for a site, Surface Security shows a warning banner the first time they visit that site each browser session — not just at the moment they log in. This keeps the reminder visible without nagging them on every page.

The warning looks like this:

Breached password in use — The password saved for this site was found in known data breaches. Change it to a unique password as soon as you can — your access is not blocked.

It confirms the change automatically

When the employee changes their breached password and next logs in with the new one, Surface Security detects the change:

  • If the new password is clean, the warning simply stops — no further action needed.
  • If the new password is also breached, the employee is warned again right away so they know to pick a stronger one.

There's nothing for the employee (or you) to click to "confirm" — it happens on their next login.

Note: Breached-password checking must be enabled for your tenant (Settings > General) for any of this to apply.


Quick reference

ControlWhereEffect
Disable password reuse protectionPolicies > (policy) > ScopeExempts everyone or selected groups from reuse warn/block; detection and other protections stay on
Disable Stale Device AlertsSettings > GeneralStops 7/14/21-day inactivity alerts; devices still tracked
Breached-password warningsSettings > General (enable HIBP)Warns (never blocks) on-visit once per session; clears automatically when the password is changed