Alert & Enforcement Controls
Surface Security is designed to protect your employees without getting in their way. These settings let you tune three behaviors to fit your organization: exempting groups from password-reuse enforcement, turning off stale-device alerts, and how breached passwords are handled.
Exempt groups from password-reuse enforcement
By default, Surface Security warns or blocks when an employee reuses a corporate password on another site. Sometimes you need to make an exception — for example, a group of contractors, service accounts, or executives on a temporary carve-out — without turning off enforcement for everyone else.
You can do this from the Policies page.
How to set it up
- Go to Dashboard > Policies and create a new policy (or edit an existing one).
- Under Scope, choose who the exemption applies to:
- Everyone — exempts all users in the tenant.
- Specific Groups — exempts only the groups you select.
- Tick Disable password reuse protection.
- Save.
That's it — you don't need to add any conditions. Users in the selected scope will no longer be warned or blocked for reusing a password, even while your extension is in enforcement mode.
What it does and doesn't do
- Reuse is still detected and recorded. You keep full visibility in the dashboard and alerts; the exemption only removes the on-screen warning/block for those users.
- Other protections stay on. Phishing detection, breached-password warnings, data-loss prevention, and new-site protections all continue to apply to exempted users. Only password-reuse warn/block is suppressed.
- It's precise. Any custom policies you've written that key off "credential is not reused," or that only raise a silent alert, are unaffected.
Note: This exemption applies to a single tenant. If you manage multiple tenants from an MSSP/organization account, org-level policies do not carry this flag.
Turn off stale-device alerts
Surface Security raises an escalating alert when a device stops checking in:
| Inactive for | Alert severity |
|---|---|
| 7+ days | Low |
| 14+ days | Medium |
| 21+ days | High |
If these alerts are noise for your environment — for example, you have many seasonal or shared devices — you can turn them off entirely.
How to set it up
- Go to Dashboard > Settings > General.
- Tick Disable Stale Device Alerts.
- Save.
Devices are still tracked and appear on the Devices page as usual — only the inactivity alerts are suppressed. You can re-enable them at any time.
Breached-password warnings
Surface Security checks whether an employee's password appears in known public data breaches (using a privacy-preserving lookup — the password itself never leaves the device). A breached password is a serious risk: attackers try breached passwords against corporate logins constantly.
Here's how Surface Security handles them.
It warns — it never blocks
A breached password will never lock an employee out of their own account. Instead, the employee sees a clear, dismissable warning encouraging them to change it. This is true regardless of your enforcement mode — even in silent "learning" mode, breached-password warnings are shown, because employee safety comes before rollout tuning.
It warns while they're on the site
If an employee has a breached password saved for a site, Surface Security shows a warning banner the first time they visit that site each browser session — not just at the moment they log in. This keeps the reminder visible without nagging them on every page.
The warning looks like this:
Breached password in use — The password saved for this site was found in known data breaches. Change it to a unique password as soon as you can — your access is not blocked.
It confirms the change automatically
When the employee changes their breached password and next logs in with the new one, Surface Security detects the change:
- If the new password is clean, the warning simply stops — no further action needed.
- If the new password is also breached, the employee is warned again right away so they know to pick a stronger one.
There's nothing for the employee (or you) to click to "confirm" — it happens on their next login.
Note: Breached-password checking must be enabled for your tenant (Settings > General) for any of this to apply.
Quick reference
| Control | Where | Effect |
|---|---|---|
| Disable password reuse protection | Policies > (policy) > Scope | Exempts everyone or selected groups from reuse warn/block; detection and other protections stay on |
| Disable Stale Device Alerts | Settings > General | Stops 7/14/21-day inactivity alerts; devices still tracked |
| Breached-password warnings | Settings > General (enable HIBP) | Warns (never blocks) on-visit once per session; clears automatically when the password is changed |