The two-person rule

Some secrets are too important to release on one person’s say-so. The two-person rule requires two or more distinct approvers from a group to countersign before a secret is released. No single person, and no single compromised device, can release a secret alone.

What it defends against

One approver acting alone cannot release a secret. That defeats a single rogue insider, and it defeats a single compromised device or stolen credential. An attacker would have to subvert several distinct approvers at once, not one.

Setting the count

The required count lives on the approver group and the approval policy that governs a path. Set it to any value from “any one” up to “all of them”. Raise the count for your most sensitive paths and leave routine ones lower.

A hard guarantee

This is enforced as a guarantee, not a checkbox. A policy edit cannot quietly switch it off and let one person release behind your back. If a path requires two approvers, two approvers countersign, every time.

The two-person rule is available on the Enterprise plan. See Approver groups for how to define the groups it draws from.