Secure your Optimizely Experimentation account

  • Updated
  • Optimizely Feature Experimentation
  • Optimizely Full Stack (Legacy)
  • Optimizely Web Experimentation
  • Optimizely Performance Edge
If your organization migrated to Opti ID, you must manage users in Opti ID. See the Opti ID user documentation.

You can increase the security of your Optimizely Experimentation account and minimize the vulnerability of your experiments, campaigns, and customer data.

The following best practices can help you secure and protect your account from malicious attacks and safeguard against possible attempts to compromise your account, site, and customer data, including attempts to hijack your site to post inappropriate content or to inject malicious scripting to steal confidential data. See also Optimizely Security.

Require two-step verification

You should require two-step verification for collaborators whose accounts you administer. Two-step verification requires you log in with a username and password, and then enter a code that is sent to your mobile phone, which gives you another layer of protection even if your password is compromised.

 Go to Account Settings > Security and Privacy and check Require two-step Verification.


Give collaborators only necessary privileges

Assign each collaborator a role that provides the least amount of privileges necessary to contribute to the project.

To manage collaborators

  • The Editor role can accomplish most tasks.
  • The Viewer role is suitable for collaborators who review experiments and results but do not need to edit.
  • The Administrator and Project Owner roles can exercise full control over a project, including creating, editing, and starting experiments. These roles are powerful and present a greater security risk. Users who have Administrator or Project Owner privileges should enable two-step verification.

Set passwords to expire after 90 days

For added security, require collaborators on your account to reset their passwords every 90 days. Go to Account Settings> Security and Privacy and select Expire after 90 days.


Enable single sign-on (SSO)

Optimizely Web Experimentation lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This lets your team log in to Optimizely Web Experimentation using their existing corporate credentials and eliminates the security risks associated with using a password. See also Get started with Opti ID.

Enable automatic timeout

In Optimizely Web Experimentation, enabling an automatic logout after 15 minutes of inactivity helps  keep your account secure and PCI-compliant. If there is no mouse or keyboard activity for 15 minutes, accounts that you are an administrator for time out and you lose unsaved changes.

Go to Account Settings> Security and Privacy and check Automatically log out after 15 minutes of inactivity.